This goes up to 2TB of backup storage, so should be adequate There appears to be a problem with formatting some USB drives as ext4 with LUKS. This might be because the onboard flash controller is specialized for fat and nothing else
All I can say is that it seemed like a good idea at the time, but my design skills are lousy and spamming streams with ads would certainly be counterproductive, even if they're ads for Free Software
Currently there isn't any CI system and with the increasing number of apps there is always the need to test on different or new hardware. Pick some hardware. Try installing the system onto it.
* Are the instructions clear enough?
* Were there any failures during the install?
* Do any of the apps fail?
Reporting any failures, either as issues or by any other method is very useful.
# Physical Testing
Testing of the mesh system in various environments. What's the maximum range for a given wifi adapter? What type of cantennas or reflectors work best on an ultra-low budget? Which wifi adapters have free software drivers? What are the simplest antenna designs which are quickest to make? Perhaps antenna advice or example deployment descriptions could be part of the documentation.
# Documentation
* Improving descriptions of processes or apps
* Fixing spelling or typos
* Adding any documentation which might be missing
* Better screenshots for apps
* Translations for the website, within the *doc* subdirectory.
* Translations of the manpages with the *man* subdirectory.
# Artwork
The project doesn't have much of this. There are some desktop backgrounds within the *img/backgrounds* subdirectory which could be improved. Cute mascots and things like that can also help to attract interest. The mesh variant of the system has desktop icons which could also be better.
# Security Auditing
Looking for any obvious security mistakes, doing pentesting on an installed test system and reporting the results would be useful. There are already many STIG tests in the *tests* subdirectory, but having more wouldn't hurt.
# Campaigning
Ensuring that the internet doesn't become far less neutral than it already is. Encouraging ISPs not to have policies which ban people from running servers. Promoting and raising awareness that self-hosting is a thing which is actually useful. All of these activities are incredibly important to allow self-hosting to remain a viable possibility. ISPs are the bottleneck, and if they implement bad government mandated policies then it may become no longer practical or legal to run your own internet systems on your own hardware in your own home.
# Adding more apps or maintaining existing ones
Typically apps are pegged to a known good commit. One useful thing is to try recent commits and see if the app installs successfully. Do any new packages need to be installed, or old ones removed? See the developer's guide for how to add new apps to the system.
# Code Audit
It's all just bash scripts and the more eyeballs on it the more likely that mistakes will be found and fixed.
# Blogging
Just blogging about the project can help to inform people that decentralised systems exist and that they don't need to be trapped in the cloud services of $bigcorp. Even if you find some aspect of the project which sucks badly, blogging about it is one way to provide feedback which could lead to future improvements being made.
> _"With the increasing move of our computing to cloud infrastructures, we give up the control of our computing to the managers of those infrastructures. Our terminals (laptops, desktops) might now be running entirely on Free Software, but this is increasingly irrelevant given that most of what actually matters gets executed on a remote closed system that we don’t control. The Free Software community needs to work to help users keep the control of all their computing, by developing suitable alternatives and facilitating their deployment."_ -- Lucas Nussbaum
So you want to run your own internet services? Email, chat, VoIP, web sites, file synchronisation, wikis, blogs, social networks, media hosting, backups, VPN. Freedombone is a home server system which enables you to self-host all of these things.
So you want to run your own internet services? Email, chat, VoIP, web sites, file synchronisation, wikis, blogs, social networks, backups. Freedombone enables you to do all of that in a self-hosted way, where you keep control of your data and it resides in your own home.
You can run Freedombone on an old laptop or a single board computer. See the [list of installation methods](https://freedombone.net/installmethods.html). You can also use it to [set up a mesh network](https://freedombone.net/mesh.html) in your local area.
Check out the [list of available apps](https://freedombone.net/apps.html) and [Frequently Asked Questions](https://freedombone.net/faq.html) section. Recent developments are also described on [the blog](https://blog.freedombone.net/tag/freedombone). You might also wish to know how to [backup and restore the system](https://freedombone.net/backups.html).
And here's how [on a Beaglebone Black](https://freedombone.net/beaglebone.html).
Disk images which can be cloned straight to USB or microSD drives are [available here](https://freedombone.net/downloads/images.txt) in [dat format](https://datproject.org).
Want to make a community mesh network which doesn't depend upon the internet?
If you find bugs, or want to add a new app to this system see the [Developers Guide](https://freedombone.net/devguide.html) and [Code of Conduct](https://freedombone.net/codeofconduct.html). There is a Matrix chat room available at *#fbone:matrix.freedombone.net* and an XMPP channel at *support@chat.freedombone.net*. The XMPP channel requires membership which you can ask for via [these contact details](https://freedombone.net/support.html).
[You can do that too](https://freedombone.net/mesh.html).
If you like this project and want to support continued development then [here's what to do](https://freedombone.net/support.html).
After installation it's possible that you might want some advice on how to run your system and set up apps to work nicely with it.
A dat version of the website is avalable at [dat://676db9db2e04a604ea6dbc798bb0d327a335c19b4856ac496ae4bb34e367633a/](dat://676db9db2e04a604ea6dbc798bb0d327a335c19b4856ac496ae4bb34e367633a/).
* [Apps available on the system](https://freedombone.net/apps.html)
In any Free Software project with more than one participant inevitably there may be people with whom you may disagree, or find it difficult to cooperate. Accept that, but even so, remain respectful. Disagreement is no excuse for poor behaviour or personal attacks, and a community in which people feel threatened is not a healthy community.
## Assume good faith
Freedombone Contributors have many ways of reaching our common goal of providing freedom respecting internet or mesh systems which may differ from your ways. Assume that other people are working towards this goal.
## Be collaborative
Freedombone is a moderately complex project, though nothing big and professional like GNU. It's good to ask for help when you need it. Similarly, offers for help should be seen in the context of our shared goal of improving the system.
When you make something for the benefit of the project, be willing to explain to others how it works, so that they can build on your work to make it even better.
## Try to be concise
If you're submitting documentation then keep in mind that what you write once could be read by many other people. To avoid TL;DR keep it as short and concise as possible. This will also reduce the amount of translations effort needed.
If you're discussing an issue or bug, try to stay on topic, especially in discussions that are already fairly large.
## Be open
Most ways of communication used within Freedombone (eg Matrix/XMPP) allow for public and private communication. Prefer public methods of communication for Freedombone-related messages, unless posting something sensitive.
This applies to messages for help, too; not only is a public support request much more likely to result in an answer to your question, it also makes sure that any inadvertent mistakes made by people answering your question will be more easily detected and corrected.
## No spamming
Posting of adverts or other off-topic content in Matrix/XMPP or other public systems used by the project will be considered a violation of the code of conduct.
## Respect others’ privacy
No stalking, unwanted personal attention, or unwelcome revealing or speculating about personal details of others.
In cases of sincere, good-faith curiosity about someone’s experience or identity, ask politely in a manner such that they will feel free to decline the request.
## No hostile communication
No insults, harassment (sexual or otherwise), condescension, ad hominem, threats, or other intimidation.
Condescension means treating others as inferior. Subtle condescension still violates the Code of Conduct even if not blatantly demeaning.
No stereotyping of or promoting prejudice or discrimination against particular groups or classes of people.
In cases where criticism of ideology or culture remains on-topic, respectfully discuss the ideas.
## In case of problems
While this code of conduct should be adhered to by participants, we recognize that sometimes people may have a bad day, or be unaware of some of the guidelines in this code of conduct. When that happens, you may reply to them and point out this code of conduct. Such messages may be in public or in private, whatever is most appropriate. However, regardless of whether the message is public or not, it should still adhere to the relevant parts of this code of conduct; in particular, it should not be abusive or disrespectful. Assume good faith; it is more likely that participants are unaware of their bad behaviour than that they intentionally try to degrade the quality of the discussion.
Serious or persistent offenders will be kicked from chat rooms and any of their subsequent patches will be unlikely to be upstreamed. In this context "serious" means that someone is causing others to feel unsafe or be unable to contribute, for whatever reason.
This is not a big project and so there is no division of labor or special enforcement committee or bureaucratic process. Complaints should be made (in private) to the maintainer or chat room admin. The typical email address can be found in the source code headers. Preferably use GPG if you can, or XMPP with OpenPGP/OMEMO to bob@freedombone.net. XMPP messages are likely to get a quicker response.
The Freedombone system isn't primarily aimed at companies or institutions, but if you're a one person company or freelancer then having the ability to run your own accounting system and keep the data private and also backed up is useful. Akaunting provides a nice web based system for small business accounts, and is also quite usable within a mobile web browser.
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *akaunting*. Enter the subdomain that you which to use, such as *accounts.mydomain.net*, and optionally a FreeDNS code.
From the *Administrator control panel* select *Passwords* and look up the password for *mariadb*.
Now in a browser navigate to your subdomain. You will need to enter some details for the database. The password should be the mariadb one.
#+attr_html: :width 80% :align center
[[file:images/akaunting_setup.jpg]]
After that you'll need to enter a company name and an email address. You can make the administrator password anything you prefer, and a suggestion can be found within the *Passwords* section of the *Administrator control panel* under *akaunting*.
#+attr_html: :width 80% :align center
[[file:images/akaunting_setup_company.jpg]]
From then on the system should be usable. Accounts software can often be quite complex, and so you'll probably want to refer to the [[https://akaunting.com/docs][official documentation]] for details.
BDS Mail (aka "Brain Dead Simple Mail") is an optional addition to the existing email server which comes installed as default. It creates an extra folder within the Mutt client which allows you to send and receive email using [[https://en.wikipedia.org/wiki/I2P][i2p]] as the transport layer. This solves the problem of being blocked by dubious systems and also the problem of user friendly email encryption. If you're behind a hostile firewall which you don't control and which blocks all ports, this system is still likely to work. You can use GPG as an additional encryption layer if you prefer, but it's not strictly necessary because you already have the i2p public key system to ensure end-to-end security.
It's unlikely that many people will use this. If it's hard to persuade anyone to use GPG or Enigmail then it will be /next to impossible/ to persuade them to switch to BDS Mail unless they're already obsessive about technical security. However, this provides yet another option for reasonably secure communications if other methods fail or are untrustable.
* Installation
ssh into the system with:
#+BEGIN_SRC bash
ssh myusername@mydomain.com -p 2222
#+END_SRC
Select *Administrator controls* then *Add/Remove Apps* then *bdsmail*. It may take a while to install, due to the creation of keys.
After installation exit from *Administrator controls* back to the user control panel then select the option to *show your email address*. You will now have a new bdsmail address which ends with /.b32.i2p/. If you then select *Use Email* to run the Mutt email client you'll notice that you now have a folder called *i2p*. If you select that folder (move up and down with /CTRL+n/ or /CTRL+p/ and open with /CTRL+o/) you can then send email from your new address, or receive mail to it. Just like ordinary email, but with a more random-looking address.
This is a databaseless blogging system which uses markdown files. It's not very complex and so there is not much to go wrong, and it should run well on any server hardware.
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *bluit*. Enter the subdomain that you which to use, such as *blog.mydomain.net*, and optionally a FreeDNS code.
Now in a browser navigate to your subdomain. You will need to enter some details for the database. You'll be asked to provide an initial administrator password.
From there on it's all pretty straightforward. If you need to publish a draft the post status can be changed on a drop down list on the right hand side.
This is similar to [[./app_etherpad.html][EtherPad]] but with better security and more document types which can be collaboratively edited in real time. It includes not just text editing but also creating presentations, voting and editing source code.
For added security this system is only available via an onion address, so you and your collaborators will need to be using Tor compatible browsers.
Enabling someone to edit a document is as simple as sending them the URL via a chat system. You can also send a read only URL for a document if you only want the recipient to be able to view but not edit.
Documents are stored locally within the browser of each user and the server just acts as a coordinator. No documents are stored on the server.
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *cryptpad*. When that is complete go to *About this system* and look up the onion address. Enter that into a Tor compatible browser.
One thing to be aware of is that on this system registration and logins are disabled, so that only anonymous or pseudanonymous editing is available. This prevents anyone who discovers the onion address from then disabling your server by creating millions of accounts.
[[https://datproject.org/][dat]] is a peer-to-peer system for distributing large files, such as operating system images or scientific data sets. The datserver app creates an instance of [[https://docs.datproject.org/server][hypercored]], which can then be used to host [[https://datproject.org/][dat files]] on your server, ensuring that they're always available to download.
dat is preferable to older ways of distributing files, such as ftp, because files are content addressable and can be seeded on multiple machines to provide greater speed and robustness. It also works nicely with the [[https://beakerbrowser.com/][Beaker browser]].
ssh into the system with:
#+BEGIN_SRC bash
ssh myusername@mydomain.com -p 2222
#+END_SRC
Select *Administrator controls* then *Add/Remove Apps* then *datserver*.
Once installed you can select *Administrator controls* then *App Settings* then *datserver* and add dat links to be served.
An easy way to play music on any mobile device in your home is to use the DLNA service. Copy your music into a directory called "/Music/" on an unencrypted USB thumb drive and then insert it into a USB socket on the Freedombone system.
@ -28,6 +23,4 @@ Select *Administrator controls* then *App Settings* then *dlna*. From there you
The system will scan the /Music/ directory, which could take a while if there are thousands of files, but you don't need to do anything further other than perhaps to log out by selecting *Exit* a couple of times.
If you have an Android device then go to F-Droid (if you don't already have it installed then it can be [[https://f-droid.org/][downloaded here]]) and search for *ControlDLNA*. On running the app you should see a red Debian icon which you can press on, then you may need to select "local". After a few seconds the list of albums or tracks should then appear and you can browse and play them.
The DLNA service will only work within your local home network, and isn't remotely accessible from other locations via the internet. That can be both a good and a bad thing. Another consideration is that there are /no access controls/ on DLNA services, so any music or videos on the USB drive will be playable by anyone within your home network.
Dokuwiki is a wiki which stores its content in text files. Having no database makes maintaining it simpler, and it's not tied to any particular domain name so you can easily copy the files to a different domain if you need to.
* Installation
Log into your system with:
@ -26,7 +20,7 @@ Log into your system with:
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
Using cursor keys and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *dokuwiki*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /wiki.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
Edith notes is the simplest and quickest kind of notes system. It has no complicated user interface. Just enter your domain and a title and a note will be created. Everything typed is saved automatically.
The speed and minimalism of this type of notes system may make it suitable for things like shopping lists or distraction free writing.
ssh into the system with:
#+BEGIN_SRC bash
ssh myusername@mydomain.com -p 2222
#+END_SRC
Select *Administrator controls* then *App Settings* then *edith*. Enter a subdomain name, such as /notes.mydomain.com/, and optionally a freedns code. When the installation is complete you can then look up the password for the site within the *Passwords* section of the *Administrator control panel*, then navigate to the subdomain. Log in, then enter something like /notes.mydomain.com/testnote/ and start typing.
#+attr_html: :width 80% :align center
[[file:images/edith_notes.jpg]]
It is possible to turn off the login via *App Settings/edith* if you wish, but this will enable anyone on the internet to view or edit notes on your system, which could have obvious privacy or stability implications. From *App settings/edith* it's also possible to browse through your notes files.
Emacs is a text editor popular with software developers or anyone who needs to take notes at high speed or be able to customise their editing environment to a high degree. When installed on Freedombone it can be used together the Mutt email client to edit new emails or if you need to manually edit configuration files.
@ -25,7 +20,7 @@ Log into your system with:
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
Using cursor keys and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps*. If Vim is selected then you might want to unselect and uninstall it first, then select *emacs*.
For collaborative document editing Etherpad is hard to beat. Just log in, choose a document title and then edit. Different users will appear in different colours, and can also chat in the sidebar. This is installed as a private system in which only users on your Freedombone server will be able to create and edit documents, so it's not open to any random users on the internet.
This is a well known system for real time collaborative editing of documents. Just log in, choose a document title and then edit. Different users will appear in different colours, and can also chat in the sidebar. This is installed as a private system in which only users on your Freedombone server will be able to create and edit documents, so it's not open to any random users on the internet.
If security is an especially important factor then you might also want to consider installing [[./app_cryptpad.html][CryptPad]] instead. It has more features and doesn't store any documents on the server.
* Installation
Log into your system with:
@ -25,7 +22,7 @@ Log into your system with:
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
Using cursor keys and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *etherpad*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /wiki.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
Federated wikis are a relatively new concept. There can be multiple copies of the same page on different servers and it's then easy to pick which version you prefer, or make something new. It's like wiki meets mashup meets federation, and so is different from many previous web paradigms and may take some recalibration of how you think the web should work.
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *fedwiki*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /wiki.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
* Usage
First you'll need to get the login password, which can be found on the *Administrator control panel* under *Passwords* then *fedwiki*.
Navigate to your wiki site then click on the *lock icon* at the bottom of the screen and enter the password. It should then appear unlocked. If you don't unlock then any edits you make won't be saved.
There are a few things to know about using the federated wiki.
* You can edit by clicking on the *wiki* button at the bottom of the screen
* To edit a paragraph double click on it
* To remove a paragraph just delete all of its text
* Paragraphs can be dragged up and down to change their order, or moved between pages
* To add a new paragraph use the *+* button
* You can use left and right cursor keys to move through pages
* To claim/fork a page from another server click on the flag icon
* When done editing click on the *wiki* button again
* Different versions of the same page on different servers are represented by boxes at the bottom right of the screen. You can double click on them to see the different versions, and use the flag icon to fork if you prefer that version
Friendica is a federated social networking system. It can federate with other popular systems such as GNU Social and Diaspora. Currently Friendica only works on the clearnet and doesn't have an onion address.
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *friendica*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /friendica.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for Friendica. If the certificate is obtained successfully then you will see a congratulations message.
* Initial setup
If you have just obtained a Lets Encrypt certificate as above then go to *About* on the administrator control panel and you should see your Friendica domain listed there. You can then navigate to your site in a browser.
On first visiting your Friendica site you'll see the login screen. The first thing you need to do is to select *register* to create a new Friendica administrator user. The first user on the system then becomes its administrator.
#+attr_html: :width 80% :align center
[[file:images/friendicaadmin.jpg]]
Friendica has numerous addons which you might want to explore. Select the small icon next to the search box and you will get to the administrator settings. Select *plugins* and you can then configure which ones you want. From the *site* settings you can also force all links to use SSL/TLS for added security.
You can have as many users register as you wish, but it's a good idea to close registrations once you don't need any more accounts in order to prevent millions of random users from the internet setting up home on your Friendica site and ruining the performance of your server. To do that go to the *Administrator control panel* and select *App Settings* then *friendica*. You can then choose the option to prevent new account registrations.
Ghost is a blogging system which uses markdown formatted posts. It's quite simple to use, and also looks nice even on small mobile screens.
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *ghost*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /blog.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for Ghost. If you're using the "onion only" version of the system then you don't need to do this. If the certificate is obtained successfully then you will see a congratulations message.
* Initial setup
If you have just obtained a Lets Encrypt certificate as above then go to *About* on the administrator control panel and you should see your Ghost blog domain listed there along with an onion address. You can then navigate to your site in a browser.
To see the login password for your site go to *Passwords* on the *Administrator control panel* and select the appropriate username and app. The passwords will be different for each user and may not be the same as the password which you used to originally ssh into the system.
Navigate to https://yourghostblogdomain/ghost and click on *create your account*
Enter your email address, password and blog title.
When prompted to invite users click on *I'll do this later*
Under *Settings* on the *General* option you can set a description, background image and so on.
GNU Social is typically referred to as a microblogging system, although with a maximum post length much longer than Twitter it's really a sort of federated community blog with a stream-based appearance which also supports markdown formatting.
You can host your own GNU Social instance and then "/remote follow/" other users who may also be doing the same. With a federated structure this type of system is hard to censor or ban. Unlike Twitter, there are no bribed adverts pushed into your stream, and any trends happening are likely to be real rather than being manipulated by some opaque algorithm.
You should regard anything posted to GNU Social as being /public communication/ visible to anyone on the internet. There is a direct messaging capability between users but it's not particularly secure, so for one-to-one messages stick to better methods, such as XMPP with OTR/OMEMO or Tox.
You should regard anything posted to GNU Social as being /public communication/ visible to anyone on the internet. There is a direct messaging capability between users but it's not particularly secure, so for one-to-one messages stick to better methods, such as XMPP with OpenPGP/OMEMO or Tox.
Some general advice about life in the fediverse [[./fediverse.html][can be found here]].
#+attr_html: :width 100% :align center
[[file:images/gnusocial_pleroma.jpg]]
* Installation
Log into your system with:
@ -29,13 +30,12 @@ Log into your system with:
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
Using cursor keys and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *gnusocial*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. You can also add a welcome message and background picture URL if you wish, although those things are optional. Typically the domain name you use will be a subdomain, such as /gnusocial.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for GNU Social. If you're using the "onion only" version of the system then you don't need to do this. If the certificate is obtained successfully then you will see a congratulations message.
* Initial setup
If you have just obtained a Lets Encrypt certificate as above then go to *About* on the administrator control panel and you should see your GNU Social domain listed there along with an onion address. You can then navigate to your site in a browser.
@ -45,20 +45,29 @@ Once you have logged in to GNU Social you may then want to select *Admin* and ch
GNU Social has a clutter-free mobile user interface which can be accessed via a Tor compatible browser (make sure to add a NoScript exception). Unlike similar proprietary sites there are no bribed posts.
#+BEGIN_CENTER
#+attr_html: :width 80% :align center
[[file:images/gnusocial_mobile.jpg]]
#+END_CENTER
* Switching user interfaces
A few web based user interfaces are available for GNU SOcial. They are selectable by going to the *Administrator control panel* and choosing *App settings* then *gnusocial*.
#+attr_html: :width 80% :align center
[[file:images/gnusocial_settings.jpg]]
* *Qvitter*: Looks similar to Twitter during its golden era, before the ads and other antifeatures arrived
* *Pleroma*: A modern and lightweight user interface
* *Classic*: Like the original StatusNet UI. Minimal Javascript and has good support for threaded conversations.
* Using with Emacs
#+attr_html: :width 100% :align center
[[file:images/gnu-social-mode.jpg]]
If you are an Emacs user it's also possible to set up GNU Social mode as follows:
If you have the GNU Social microblogging system installed then it's also possible to share things or services between groups or with particular users. This can be useful for sharing items within a family, club or in a local sharing economy. Sharing things freely, without money, reveals the social basis at the root of all economics which money normally conceals or obscures.
| j | Next |
| k | Previous |
Click on "/share/" or "/my catalog/" and this will switch to a screen which allows you to enter details for things to be shared or wanted.
Showing timelines:
#+BEGIN_CENTER
[[file:images/sharings3.jpg]]
#+END_CENTER
| g | Current timeline |
| CTRL-c CTRL-a | Public timeline |
| CTRL-c CTRL-g | Group timeline |
| CTRL-c CTRL-t | Tag timeline |
| CTRL-c CTRL-k | Stop |
| CTRL-c CTRL-u | User timeline |
| CTRL-c CTRL-c | Conversation timeline |
| CTRL-c CTRL-o | Remote user timeline |
| CTRL-c CTRL-d | Post direct Message |
The "/catalog/" button then allows you to search for shared things within the federated network.
The biggest hazard with GNU Social is that it's part of a public federated communications system. This means that conversations and replies from other servers may end up in your "whole known network" stream. The internet being what it is, some of these could be undesirable. You can block individual users or entire domains by going to the *Administrator control panel* and selecting *Domain or User Blocking*, then adding or removing entries. This blocks domains at the firewall level and also at the level of database and file storage.
If you want to block a particular user then select *Block a domain or user* and enter the user in the format *username@domaintoblock* (similar to an email address).
Github is ok, but it's proprietary and funded by venture capital. If you been around on the internet for long enough then you know how this story eventually works itself out - i.e. badly for the users. It's really only a question of time. If you're a software developer or do things which involve the Git version control system then it's a good idea to become accustomed to hosting your own repositories, before the inevitable Github shitstorm occurs.
@ -27,7 +22,7 @@ Log into your system with:
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
Using cursor keys and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *gogs*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /code.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
Using cursor keys and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *htmly*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /blog.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
Hubzilla is a web publishing and social network system which includes wiki, web pages, photo albums and file storage. It also has privacy controls which allow you to define who can see which content. It's possible to write posts and have them visible only to a group of friends (known as "/privacy groups/"), with the encryption being handled automatically.
Hubzilla is a web publishing and social network system which includes wiki, web pages, photo albums and file storage. It also has privacy controls which allow you to define who can see which content. It's possible to write posts and have them visible only to a group of friends (known as "/privacy groups/"), with the encryption being handled automatically. Currently Hubzilla only works on the clearnet and doesn't have an onion address.
* Installation
Log into your system with:
@ -25,18 +20,17 @@ Log into your system with:
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
Using cursor keys and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *hubzilla*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /hub.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for Hubzilla. If you're using the "onion only" version of the system then you don't need to do this. If the certificate is obtained successfully then you will see a congratulations message.
After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for Hubzilla. If the certificate is obtained successfully then you will see a congratulations message.
* Initial setup
If you have just obtained a Lets Encrypt certificate as above then go to *About* on the administrator control panel and you should see your Hubzilla domain listed there along with an onion address. You can then navigate to your site in a browser.
If you have just obtained a Lets Encrypt certificate as above then go to *About* on the administrator control panel and you should see your Hubzilla domain listed there. You can then navigate to your site in a browser.
On first visiting your Hubzilla site you'll see the login screen. The first thing you need to do is *register* a new user. The first user on the system then becomes its administrator.
Icecast enables you to run something like an internet radio station. So if you have multiple audio files and want to be able to stream those in sequence from a web site then this can be useful.
This system is available only via an onion address, which should mitigate the potential for copyright disputes over streamed content. By default it's only set up to stream to a small number of users so that it doesn't put too much stress on CPU or memory requirements, although you can increase the maximum limit if you have a more powerful system and enough bandwidth.
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys and Enter key select *Administrator controls* and type in your password. Select *Add/Remove Apps* then *icecast*.
If you then go to the *About* screen you'll see the onion address for Icecast and can navigate to it in a Tor compatible browser.
* Adding files to be streamed
There are two ways to get files onto the system: either via ssh or via a USB drive. File types can be *ogg, ogv, mp3 or mp4* format.
It may take a while for the files to import, especially on a low power single board computer, since any mp3 or mp4 files will be converted to ogg or ogv. If you want to speed this up then you could do this conversion manually on a laptop with ffmpeg before storing files onto the USB drive or uploading them via ssh.
** From a USB drive
Create a directory on the USB drive named *icestream* and copy your files into there. Plug the drive into your server.
Go to the *Administrator control panel*, select *App settings*, then *icecast*, then *Import stream files from USB drive*.
** Via ssh
Make a directory named *icestream* and copy your files into it. Then copy the directory to your server.
Select *Administrator controls*, enter your password, then go to *App settings* followed by *icecast* and *Import stream files*. Choose the directory with up and down cursors to select.
* Access controls
By default anyone who happens to find your Icecast onion address can listen to your stream. If you only want it to be available to a few friends or family then you can add an extra login password.
Go to the *Administrator control panel*, select *App settings*, then *icecast*, then *Enable login for stream users*. Take a note of the password and you can give that out to whoever needs access, preferably via an encrypted chat app or sneakernet. If you need to copy and paste then hold the shift key while highlighting the password.
IRC is useful for multi-user chat. The classic use case is for software development where many engineers might need to coordinate their activities, but it's also useful for meetings, parties and general socialising.
@ -56,10 +51,12 @@ Enter first and second nicknames and check *connect to this network on startup*.
If you are using the ordinary domain name (clearnet/ICANN) then make sure that *Use SSL* is checked.
#+attr_html: :width 80% :align center
[[file:images/hexchat_setup_clearnet.jpg]]
If you are using the onion address then *use SSL* should be unchecked and the transport encryption will be handled via the onion address itself.
#+attr_html: :width 80% :align center
[[file:images/hexchat_setup.jpg]]
Within the *Password* field enter the password which can be found from the IRC menu of the *control panel*.
Kanbans are one way of managing projects. They're traditionally used in businesses but can also be useful for personal TODO lists or within open source or DIY projects. If you have a list of things which need to be done and want to keep track of progress then this provides a way to do that.
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *kanboard*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /kanban.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for KanBoard. If you're using the "onion only" version of the system then you don't need to do this. If the certificate is obtained successfully then you will see a congratulations message.
* Initial setup
If you have just obtained a Lets Encrypt certificate as above then go to *About* on the administrator control panel and you should see your KanBoard domain listed there along with an onion address. You can then navigate to your site in a browser.
The default login is username "admin" and password "admin". Obviously the first thing you'll need to do is log in and change the password, which can be done by going to "My Profile" on the drop down list on the right hand side.
For more details of how to use KanBoard see the [[https://kanboard.net/documentation][documentation here]].
The /web of trust/ is a nice idea, but how trustable is it? If you take a look at how many OpenPGP key servers are out there then there are a two or three main ones and not much else. Can you trust those servers? Who is maintaining them and how often? Is any censorship going on? How hard would it be for adversaries to get implants onto them? In terms of technology this infrastructure is quite old and it could have been neglected for a long time. Once vigilant maintainers might have turned lazy and gotten lax with server security, or been recruited over to the dark side.
For these kinds of reasons you might prefer to run your own web of trust infrastructure. In simple terms it's a database of GPG public keys which provides a way for users to /find out how to communicate with others securely via email/. You can meet in person and exchange public keys via sneakernet on USB drives, but most users of GPG don't do that. Instead they just download the public key for a given email address from one of the key servers.
#+attr_html: :width 80% :align center
[[file:images/keyserver.jpg]]
* Installation
ssh into the system with:
#+BEGIN_SRC bash
ssh myusername@mydomain.com -p 2222
#+END_SRC
Select *Add/Remove Apps* then *keyserver*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /keys.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for the Key server. If the certificate is obtained successfully then you will see a congratulations message.
* How to use it
Interaction with the web user interface is pretty minimal and obvious, but most likely you will also want to be able to use your keyserver from the commandline. To do that use the *--keyserver* option. For example to search for a key on your server:
Key servers avoid censorship or errors by gossiping between each other and cross referencing the data. You can define which other servers your key server will gossip with by going to the *Administrator control panel*, selecting *App Settings* then *keyserver* then *Sync with other keyserver*.
It's a good idea not to try to sync with the popular OpenPGP key servers, because those have gigantic databases which may make your server unstable and certainly would make it hard to create backups within a tractable amount of time. This option is mainly intended to sync with other Freedombone systems or small home servers within a particular community.
* Possible problems
OpenPGP key servers are not very well defended from flooding attacks. This means that an adversary could just upload a billion keys to destabilize the server and fill it with nonsense to make it unusable. Since key servers are /fully open to the public/ there isn't anything to prevent that from happening.
Within the Freedombone system there is a watchdog script which keeps track of the key server database size, and disables the key server if that gets too large. Apart from the usual firewall and web server traffic rate limits, this is a crude but probably practical way of defending against flooding.
If a flood attack does happen then really the only way to recover is to restore from the last known good backup, which can be done from the *Administrator control panel*.
This enables you to store your music on the Freedombone server and then access it from any internet connected device. If you just want to make music accessible within your home network then [[./app_dlna.html][DLNA]] is usually sufficient, but if you want to be able to play your music from anywhere then [[https://koel.phanan.net][Koel]] is a better option.
#+attr_html: :width 80% :align center
[[file:images/koel.jpg]]
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *koel*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /music.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
Go back to the *Administrator control panel*, select *Passwords* then *koel*. You can then use this password together with your email address to initially log in.
Once logged in go to settings and set the media path to */music*.
#+attr_html: :width 80% :align center
[[file:images/koelsettings.jpg]]
* Importing music
This app doesn't have any way to upload music and instead just expects that there will be a directory on the server containing music files. There are a couple of ways to get new music files onto the system: either by using ssh or by putting them onto a USB drive.
This will copy anything files in your local Music directory to your home directory on the Freedombone system.
Now log in to your Freedombone system:
#+begin_src bash
ssh username@domainname -p 2222
#+end_src
And select *Administrator settings* followed by *App settings* then *koel*. Select *Import music from directory* then using up and down cursors select the directory and *press space* so that it appears in the selection box below. Select *Ok* and then the files will be moved to their final destination in the */music* directory.
** Via USB drive
Create a LUKS formatted USB drive. It's possible to do this by plugging a new USB drive into the Freedombone system then going to the *Administrator control panel*, selecting *App settings* then *koel* then *Format a USB drive*. You will need to specify a password, which in this case doesn't need to be anything highly secure.
Once the drive if formatted you can remove it and copy Music files onto it from other systems. Make sure the files are contained within a directory named *Music*.
Once you have music on a LUKS formatted USB drive then plug it into the Freedombone system. Go to the *Administrator control panel*, select *App settings* then *koel* then *Import music from USB drive*. Enter the password you used to create the drive and music files will then be copied.
** Synchronizing
To detect the imported files you might need to re-synchronize. Within Koel go to settings and then select *Scan*. Any imported files should then be available to play.
Lychee is a simple and lightweight photo album for the web. Whether you're an amateur or professional photographer, or want to publish random holiday pics or cat pictures. Lychee just does what it says it does without any fuss. There is also a photo album feature within [[./app_hubzilla.html][Hubzilla]] if you need more sophisticated social photo sharing with individualised permissions.
@ -25,7 +20,7 @@ Log into your system with:
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
Using cursor keys and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *lychee*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /code.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
@ -36,9 +31,8 @@ If you have just obtained a Lets Encrypt certificate as above then go to *About*
Within a browser navigate to your lychee domain name or onion address. It should look like this:
#+BEGIN_CENTER
#+attr_html: :width 80% :align center
[[file:images/lychee_setup.jpg]]
#+END_CENTER
Within the *Administrator control panel* select *App Settings* and then *lychee*. This will show the initial login settings which you need to set up the database. To copy the password hold down the shift key, select the password then right click and copy.
Mailpile provides a nice looking webmail interface suitable for use on desktop or mobile clients. It has good support for email encryption and makes that quite an simple process. At present it's usable but still has a few bugs and limitations. If you need a fully functional email client with comprehensive encryption support then either use Mutt or Thunderbird/Icedove.
@ -29,7 +24,7 @@ Log into your system with:
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
Using cursor keys and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *mailpile*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /mail.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
@ -56,16 +51,16 @@ Uncheck *Detect Settings* and click *Next*.
Under *Sending Mail* select *local* or if you need to proxy outgoing email through your ISP's server select *SMTP/TLS* and enter the details, then click *Next*.
#+BEGIN_CENTER
#+attr_html: :width 80% :align center
[[file:images/mailpile_setup.jpg]]
#+END_CENTER
Under *Receiving files* select *IMAP*, the domain as *localhost*, port *143*, your username and password, then click *Next*. Astute readers may well be concerned that IMAP over port 143 is not encrypted, but since this is only via localhost communication between the Mail Transport Agent and Mailpile doesn't travel over the internet and port 143 is not opened on the firewall so it's not possible to accidentally connect an external mail client insecurely.
Under *Receiving files* select *IMAP*, the domain as *localhost*, port *143* and your username, then click *Next*. Astute readers may well be concerned that IMAP over port 143 is not encrypted, but since this is only via localhost communication between the Mail Transport Agent and Mailpile doesn't travel over the internet and port 143 is not opened on the firewall so it's not possible to accidentally connect an external mail client insecurely.
#+BEGIN_CENTER
#+attr_html: :width 80% :align center
[[file:images/mailpile_setup_keys.jpg]]
#+END_CENTER
Under *Security and Privacy* either select your existing encryption key or if you only get the option to create a new one then do so, then click *Add* or *Save*.
You will then be asked for a password. Confusingly, this won't be the password you gave initially when setting up Mailpile. It's the original *ssh password* which you used to set up the Freedombone system.
The process of importing your email should then occur, and can take some time.
Matrix is a federated communications system, typically for multi-user chat, with end-to-end content security features. You can consider it to be like a modernized version of IRC chat where the crypto and access controls have been built in by default. At present Matrix is really only a creature of the clearnet and so there isn't any way to protect the metadata. Despite the talk of security the lack of metadata defenses make this really only suitable for public communications, similar to microblogging or public IRC channels.
Another consideration is that since matrix operates on the usual HTTPS port number (443) this may make it difficult for ISPs or governments to censor this type of communications via port blocking without significant blowback.
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *matrix*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /matrix.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
* Initial setup
Go to the *Administrator control panel* and select *Passwords* then *matrix*. This will give you the password to initially log in to the system and you can change it later from a client app if needed.
Install the *Riot* app from *F-droid* on a mobile device. You can then log in with your username and password, making sure to select a custom server and then entering your Matrix domain name for both the main server and identity server.
Other client apps are available but are currently mostly only at the alpha stage. You can also install the [[./app_riot.html][Riot freedombone app]] if you need a user interface for desktops or laptops.
* DNS setup
It's recommended that you add an SRV record for Matrix to your DNS setup. How you do this will depend upon your dynamic DNS provider and their web interface. On FreeDNS on the subdomains settings in addition to the subdomain which you are using for the matrix server create an extra entry as follows:
#+begin_src text
Type: SRV
Subdomain: _matrix._tcp
Domain: [youdomain]
Destination: 10 0 8448 [yourmatrixsubdomain]
#+end_src
You may also want to make another entry with the same settings but replacing *tcp* with *udp*.
* Mobile app
If you're using the Riot mobile app to access your Matrix homeserver then you can significantly improve battery performance by going to the *settings* and changing *Sync request timeout* to 30 seconds and *Delay between two sync requests* to 600 seconds. Also turning off *msgs in group chats* will help, since it will avoid getting a notification whenever a group chat event happens, which then wakes up the screen.
With Mediagoblin you can host video and audio content in a similar manner to the proprietary systems such as YouTube and SoundCloud. This system supports free media formats such as /webm/, /ogv/ and /ogg/. Another similar system which might be better fitted for small servers is [[./app_peertube.html][PeerTube]], since it uses webtorrent to distribute video files. Webtorrent will only work with WebRTC enabled browsers though.
When hosting media files you should take into consideration that since anyone on the internet can view your content then this could significantly increase your bandwidth usage and overall strain on the server. Also unless you are just hosting images then hardware such as the Beaglebone Black won't be powerful enough for a good user experience when either uploading or playing back videos. It's recommended that you use one of the more powerful quad (or more) core single board computers or an old laptop if you want to run Mediagoblin on it.
#+attr_html: :width 50% :align center
#+BEGIN_CENTER
[[file:images/mediagoblin.jpg]]
#+END_CENTER
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *mediagoblin*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. You can also add a welcome message and background picture URL if you wish, although those things are optional. Typically the domain name you use will be a subdomain, such as /media.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for Mediagoblin. If you're using the "onion only" version of the system then you don't need to do this. If the certificate is obtained successfully then you will see a congratulations message.
* Initial setup
If you have just obtained a Lets Encrypt certificate as above then go to *About* on the administrator control panel and you should see your Mediagoblin domain listed there along with an onion address. You can then navigate to your site in a browser.
Create an account and verify it by returning to the *user control panel* opening the email client and looking for the Mediagoblin verification email. It will contain a link that you should follow to activate the account.
You should repeat that for however many accounts you want on the system and then go back to the *administrator control panel*, select *App Settings* then *mediagoblin* and turn off new registrations. This will prevent millions of spam accounts from being created by internet bots.
* File formats
It's a good idea to upload videos in /webm/ format. In that case Mediagoblin will skip the transcoding step (which can take hours for videos of non-trivial length) and the whole process will be quicker. Transcoding just converts whatever file format you submit into a standard resolution and file type. On your local system you can convert a video to webm with:
#+begin_src bash
ffmpeg -i myvideo.mp4 myvideo.webm
#+end_src
Or if you are moving a video from YouTube to your own site:
Mumble is a well known VoIP system originally used for gaming, but which works just as well for any general conference calls or meetings.
@ -22,9 +17,22 @@ Mumble is a well known VoIP system originally used for gaming, but which works j
In addition to voice it is also possible to do text chat via mumble. The security of this is pretty good provided that you do it via Plumble and Orbot on mobile, but compared to other options such as XMPP/Conversations or Tox the security is not as good, since the mumble server currently doesn't support forward secrecy.
* Using with Ubuntu
Within the software center search for "mumble" and install the client then run it. Skip through the audio setup wizard.
First ensure that tor is installed. Within a terminal:
Click on "add new" to add a new server and enter the default domain name for the Freedombone, your username (which can be anything) and the VoIP server password which can be found in the *Passwords* section of the *Administrator control panel*. Accept the self-signed SSL certificate if you don't have a Let's Encrypt certificate set up for your default domain. You are now ready to chat.
#+begin_src bash
sudo apt-get install tor
#+end_src
Within the software center search for "mumble" and install the client then run it. Skip through the audio setup wizard. Cancel the initial connection window.
From the menu select *Configure* then *Settings*. Select the *Advanced* checkbox then select *Network*. Select *Force TCP mode* and proxy type *Socks5*. Hostname should be set to *localhost* and port should be *9050*.
#+attr_html: :width 80% :align center
[[file:images/mumble_config.jpg]]
Select *Apply* and *Ok*, then on the menu *Server* and *Connect*.
Click on "add new" to add a new server and enter the *default domain name* for the Freedombone (currently the onion address isn't supported, but might be in future), your username (which can be anything) and the VoIP server password which can be found in the *Passwords* section of the *Administrator control panel*. Accept the self-signed SSL certificate if you don't have a Let's Encrypt certificate set up for your default domain. You are now ready to chat.
* Using with Android
Install [[https://f-droid.org/][F-Droid]]
@ -35,8 +43,8 @@ Search for and install Plumble.
Press the plus button to add a Mumble server.
Enter a label (which can be any name you choose for the server), the default domain name of the Freedombone or preferably the mumble onion address as shown on the *About* screen of the *Administrator control panel*, your username (which can also be anything) and the mumble password which can be found in the *Passwords* section of the *Administrator control panel*.
Enter a label (which can be any name you choose for the server), the default domain name of the Freedombone or preferably the mumble onion address as shown on the *About* screen of the *Administrator control panel*, your username (which can also be anything) and the mumble password which can be found in the *Passwords* section of the *Administrator control panel*. Leave the port number unchanged.
Open the settings. Select General, then Connect via Tor. This will provide better protection, making it more difficult for adversaries to know who is talking to who.
Open the settings. Select *General*, then *Connect via Tor*. This will provide better protection, making it more difficult for adversaries to know who is talking to who. If connecting through Tor is unreliable and causes crashes then unselect *Connect via Tor* on the *General settings* and then just use your ordinary domain name.
Selecting the server by pressing on it then connects you to the server so that you can chat with other connected users.
NextCloud is a system for file synchronisation and also has many other plugins for calendar, videoconferencing, collaborative document editing and federated file sharing. It's a lot more elaborate than Syncthing, but there may be situations where centralized control of your files on your server is better than a purely peer-to-peer approach (eg. if you need to remove a user's access to files).
The videoconferencing plugin requires a browser with WebRTC support and so is unlikely to work in a Tor browser, but may still be a better option than using proprietary systems.
* Operational considerations
If your ISP or the government in your area is part of your threat model then NextCloud may not be the best choice for hosting files and [[./app_syncthing.html][Syncthing]] could be preferable. In the past the NextCloud company is known to have remotely scanned servers without permission and reported server admins who don't immediately update to the latest version of the software to their ISPs or to questionable government agencies. Depending upon where you are located such activities by the developer, which are not really in the spirit of independent self-hosting, could have very undesirable results.
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *nextcloud*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /cloud.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
* Initial setup
Go to the *Administrator control panel* and select *Passwords* then *nextcloud*. This will give you the password to initially log in to the system and you can change it later from a client app if needed.
With a browser navigate to the domain which you gave during installation and log in.
You can also install the mobile client from F-droid.
This is a video hosting system similar to Mediagoblin but using webtorrent to help distribute the files to or between clients. This should be more practical for situations where a video becomes popular because the load is then spread across the network, with performance increasing with the number of nodes. However, the torrenting aspect of it only works with WebRTC enabled browsers and so this means it's unlikely to fully work with a Tor browser. Without WebRTC then from a user point of view it's effectively the same thing as Mediagoblin.
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *peertube*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /video.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
Although PeerTube can handle a few formats *webm* is the currently recommended one. Other formats might not play in some browsers or on some libre distros.
* Initial setup
Navigate to your site and select *Signup* to create a new account. By default the maximum number of accounts on your system is limited to a small number so that millions of random internet users can't then begin uploading dubious content. After that it's pretty straightforward.
If you wish it's possible to turn off further signups via the *Administrator control panel* under *App settings* for *peertube*.
* Importing videos from YouTube/Vimeo/Dailymotion
It's possible to import videos from the main proprietary video hosting sites. /Only do this if they're videos which you made, or if the license is Creative Commons/. Hosting arbitrary videos under nonfree licenses is likely to get you into trouble, and we know how that works out from the P2P wars of the 2000s (i.e. badly).
Go to the *Administrator control panel*, select *App settings* then *peertube* then *Import videos from YouTube/Vimeo/Dailymotion*. Enter your PeerTube login details and then you may specify either the individual video URL or the channel URL if you want to import a whole channel.
* Importing videos from your desktop
The most convenient way to add new videos to PeerTube is if you have the *syncthing* app installed. Set up [[./app_syncthing.html][syncthing]] with a folder called ~/Sync in your home directory. Create a subdirectory called *~/Sync/peertube_upload*. Within that directory make a text file called *login.txt*. This will contain your PeerTube login details.
The first line of login.txt should be your username, the second line should be the password and optionally the third line can contain the words *public* and/or *nsfw*, if you want to make imported videos immediately public or mark them as not suitable for work.
Prepare your videos preferably in *webm* format. Other formats may be poorly supported, especially on libre distros. To minimize bandwidth usage try to keep your videos as small as possible. Giant videos with incredibly high resolution tend to result in a bad user experience. Often just converting your videos to *webm* using *ffmpeg* will keep the size down.
Now copy or drag and drop your videos into the *~/Sync/peertube_upload* directory. Syncthing will sync to the server and automatically add the videos to PeerTube. Depending on how large the videos are this may take some time.
Imported videos can be seen by logging into PeerTube, selecting *My account* then the *My videos* tab. You can then view them, add a description and select to make them public if you wish.
Idiots who have an inflated sense of self-entitlement will tell you that it's /your moral duty/ to view their mind-numbingly tedious corporate ads on their web site or YouTube channel, or else their kids will starve and the sky will fall because their revenue stream will dry up. But that's bullshit. There is nothing intrinsic or morally mandatory about adverts propping up the livelihoods of netizens, and indeed a web not primarily based on advertising money might have been a much better and more interesting place by now, with a lot less spying.
@ -32,21 +27,33 @@ When that's done select *About this system* from the control panel and see the I
* On each client system within your local network
Make sure that you add the static IP address for the server to */etc/hosts*.
"/The way to keep giant companies from sterilizing the Internet is to make their sites irrelevant. If all the cool stuff happens elsewhere, people will follow. We did this with AOL and Prodigy, and we can do it again./" -- Maciej Cegłowski
#+END_QUOTE
Pleroma is an OStatus and ActivityPub compatible social networking server, compatible with GNU Social, PostActiv and Mastodon. It is high-performance and so is especially well suited for running on low power single board computers without much RAM.
Some general advice about life in the fediverse [[./fediverse.html][can be found here]].
#+attr_html: :width 100% :align center
[[file:images/pleroma.jpg]]
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *pleroma*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /pleroma.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
* Initial setup
The first thing you'll need to do is to obtain your login details. From the *administrator control panel* select *security settings* then *passwords* then *pleroma*. This gives the password you will need to log in, together with the username you gave during installation of the Freedombone system.
Once you have done that then you can disable further registrations from the *Administrator control panel* by going to *App Settings* then *pleroma* then *Disable new account registrations*. This may take a while because the app gets recompiled afterwards.
* Mastodon user interface
If you prefer a Tweetdeck-style user interface, similar to Mastodon, then once you have registered an account navigate to */yourpleromadomainname/web* and log in.
#+attr_html: :width 100% :align center
[[file:images/pleromamastodon.jpg]]
* Mobile apps
It's also possible to use Mastodon apps together with Pleroma, such as Tusky, since it supports the Mastodon API. You may need to install *IcecatMobile* and set it as your default browser (under *Settings/Apps/Menu*) in order for the initial oauth registration process to work.
The biggest hazard with Pleroma is that it's part of a public federated communications system. This means that conversations and replies from other servers may end up in your "whole known network" stream. The internet being what it is, some of these could be undesirable. You can block individual users or entire domains by going to the *Administrator control panel* and selecting *Domain or User Blocking*, then adding or removing entries. This blocks domains at the firewall level and also at the level of database and file storage.
If you want to block a particular user then select *Block a domain or user* and enter the user in the format *username@domaintoblock* (similar to an email address).
PostActiv is a fork of [[./app_gnusocial.html][GNU Social]] which includes some extra fixes and optimisations to improve performance. It federates just like GNU Social does and so whether you choose GNU Social or PostActiv is really just down to personal prefernce.
Some general advice about life in the fediverse [[./fediverse.html][can be found here]].
#+attr_html: :width 100% :align center
[[file:images/postactiv_pleroma.jpg]]
* Installation
Log into your system with:
@ -25,7 +25,7 @@ Log into your system with:
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
Using cursor keys and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *postactiv*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /code.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
@ -37,3 +37,74 @@ If you have just obtained a Lets Encrypt certificate as above then go to *About*
To see the login password for your site go to *Passwords* on the *Administrator control panel* and select the appropriate username and app. The passwords will be different for each user and may not be the same as the password which you used to originally ssh into the system.
Navigate to your PostActiv domain name and log in.
* Switching user interfaces
A few web based user interfaces are available for PostActiv. They are selectable by going to the *Administrator control panel* and choosing *App settings* then *postactiv*.
#+attr_html: :width 80% :align center
[[file:images/postactiv_settings.jpg]]
* *Qvitter*: Looks similar to Twitter during its golden era, before the ads and other antifeatures arrived
* *Pleroma*: A modern and lightweight user interface
* *Classic*: Like the original StatusNet UI. Minimal Javascript and has good support for threaded conversations.
* Using with Emacs
#+attr_html: :width 100% :align center
[[file:images/gnu-social-mode.jpg]]
If you are an Emacs user it's also possible to set up GNU Social mode, which is compatible with PostActiv. You can do that as follows:
The biggest hazard with PostActiv is that it's part of a public federated communications system. This means that conversations and replies from other servers may end up in your "/whole known network/" stream. The internet being what it is, some of these could be undesirable. You can block individual users or entire domains by going to the *Administrator control panel* and selecting *Domain or User Blocking*, then adding or removing entries. This blocks domains at the firewall level and also at the level of database and file storage.
If you want to block a particular user then select *Block a domain or user* and enter the user in the format *username@domaintoblock* (similar to an email address).
This is an encrypted pastebin, such that the server has zero knowledge of the content. It's intended for small amounts of text less than 32K in length. It's not intended for transfering large files, or for storing pastes for more than a day.
Because this is completely open to any user on the internet you should be wary of the potential for DDoS, and only install this app if you really need to avoid using other pastebins or if other pastebin sites are censored or untrustable. There are traffic limits set within this app to attempt to minimize the potential for flooding attacks, but that might still not be sufficient in the worst cases.
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *privatebin*. You'll need to enter your preferred subdomain - something like /paste.yourdomain.com/ and optionally a freedns code.
To install this app you will first need to install the [[./app_xmpp.html][XMPP server]].
The [[https://profanity.im][Profanity]] shell based user interface and is perhaps the simplest way to use XMPP from a laptop. It's also a good way to ensure that your OTR keys are the same even when logging in from different laptops or devices, and it also means that if those devices later become compomised then there are no locally stored OTR keys to be found.
#+BEGIN_SRC bash
ssh username@domain -p 2222
#+END_SRC
Then select *Run App* and then *profanity*.
Generate an [[https://en.wikipedia.org/wiki/Off-the-Record_Messaging][OTR]] key with:
#+BEGIN_SRC bash
/otr gen
#+END_SRC
Then to start a conversation using OTR:
#+BEGIN_SRC bash
/otr start otherusername@otheruserdomain
#+END_SRC
or if you're already in an insecure chat with someone just use:
#+BEGIN_SRC bash
/otr start
#+END_SRC
Set a security question and answer:
#+BEGIN_SRC bash
/otr question "What is the name of your best friends rabbit?" fiffi
#+END_SRC
On the other side the user can enter:
#+BEGIN_SRC bash
/otr answer fiffi
#+END_SRC
For the most paranoid you can also obtain your fingerprint:
#+BEGIN_SRC bash
/otr myfp
#+END_SRC
and quote that. If they quote theirs back you can check it with:
#+BEGIN_SRC bash
/otr theirfp
#+END_SRC
If the fingerprints match then you can be pretty confident that unless you have been socially engineered via the question and answer you probably are talking to who you think you are, and that it will be difficult for mass surveillance systems to know the content of the conversation. For more details see [[https://www.profanity.im/otr.html][this guide]]
When accessed via the user control panel the client is automatically routed through Tor and so if you are also using OTR then this provides protection for both message content and metadata.
Radicale is a calendar server which allows your to synchronise your calendar across all your devices. Support for CalDAV within various client systems can be quite patchy/flaky though, so use it with caution.
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys, space bar and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *radicale*. If you don't already have an SSL/TLS certificate for your main domain then go to the security settings and create a new Let's Encrypt cert for it. That will ensure that your calendar events have some minimal level of protection from passive surveillance.
* Setting up on Android
Via F-droid install *DAVdroid*.
There seems to be a problem with Let's Encrypt certificates with this app, but it's possible to get around it. Open DAVdroid and select the side *menu* followed by *Settings*. Enable *Distrust system certificates* and press *Reset untrusted certificates*.
Exit from settings and press the *plus button* to add an account. Select *Login with URL and user name*. The URL should be https://yourmaindomainname/radicale/. Remember to include the trailing slash on the URL. If you installed Freedombone from a disk image then enter your username and the password which was shown at the start of installation. If not then the password for Radicale will be within *Passwords* section of the *Administrator control panel*.
You will be prompted to approve the Let's Encrypt cerificate for your domain name, and once that's done then you should see your account as a large yellow box. Press on that and ensure that *Addresses* and *calendar* are selected.
Now go to your calendar app and press the plus icon to add an event. You should notice that the calendar account selected is your username on the Freedombone system.
Riot Web is a browser based user interface for the [[./app_matrix.html][Matrix]] federated communications system. It allows you to do encrypted one-to-one or group chat, and has some fancy WebRTC features for voice and video conversations. The WebRTC stuff won't work in a Tor browser though. This type of system is fine for general public communications and collaboration on open source projects or gaming groups. For things which require real privacy though stick to XMPP with OMEMO.
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *riot* and also make sure that *matrix* is selected or was previously installed. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /riot.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
* Initial setup
Go to the *Administrator control panel* and select *Passwords* then *matrix*. This will give you the password to initially log in using the Riot Web user interface. Log in, and that's it. Happy chatting.
Rocketchat is a chat system which is mainly suited for private chat with a few family and friends. It has some integration capability with other systems, but isn't federated as [[./app_xmpp.html][XMPP]] or [[./app_matrix.html][Matrix]] are. If you need high security then XMPP with Conversations is probably still the best option.
This system is only available for X86 architecture, so won't install on ARM boards but probably will on an old laptop.
* Installation
ssh into the system with:
#+BEGIN_SRC bash
ssh myusername@mydomain.com -p 2222
#+END_SRC
Select *Administrator controls* then *Add/Remove Apps* then *rocketchat*. Enter your domain name and freedns code if you're using freedns.
Navigate to your rocketchat domain and register an account. The first registration becomes the administrator. It's a good idea within the Rocketchat administration settings under *Accounts* to select *Registration* and *Manually Approve New Users*, then save. This will prevent millions of random internet users from creating accounts on your server.
The way that RSS reading is set up on Freedombone gives you strong reading privacy. Not only is there onion routing between you and the server but also between the server and the source of the RSS feed. The only down side is that many RSS feeds are still http only, and so could be vulnerable to injection attacks, but it's expected that more of this will go to https in the foreseeable future due to a combination of growing recognition of security issues and systems like Let's Encrypt which make obtaining certificates much easier.
#+BEGIN_CENTER
#+attr_html: :width 80% :align center
[[file:images/rss_reader_mobile.jpg]]
#+END_CENTER
* Finding the onion address
See the control panel for the RSS reader onion address.
SearX is a metasearch engine. That means it returns results from other selected search engines. It's accessible via an onion address and provides a private search ability. Really the only advantage it gives you over searching directly from a Tor browser is the ability to customise your search experience.
In terms of security both the connection between you and the server, and the outgoing connection from the server to other search engines are onion routed. This should give you a reasonable level of search privacy.
#+attr_html: :width 100% :align center
[[file:images/searx.jpg]]
* Installation
ssh into the system with:
#+BEGIN_SRC bash
ssh myusername@mydomain.com -p 2222
#+END_SRC
Select *Administrator controls* then *Add/remove apps*. From there you can use cursor keys, space and enter keys to select *searx*.
Once it has installed go to *About* on the *Administrator control panel* and look for *searx*. Take a note of the onion address, and you can then enter that into a Tor compatible browser.
* Make it your default search
In a Tor browser click on the magnifying glass icon next to the search box and you can then add your metasearch site. A small icon will appear called "/Freedombone Metasearch/" and you can then right click on it and make it the default search.
* Enabling password login
It's possible that you might not want just anyone on the interwebs to be able to use your metasearch engine. Even with the onion routing this might carry some legal risk or make you a target for denial-of-service attempts (although Tor's rate limits and the firewall will give you some defense against that).
To enable password login go to the *Administrator control panel* then *App settings* then select *searx* and *Enable login*. If you select "yes" then the password will be displayed.
* Customization
It's also possible to customise the background image if you go to *App settings* then select *searx*.
This is an extremely simple RSS reader which is available only from an onion address, so that you have /the right to read/. There is very little code and so not much attack surface, and it will scale to screens of any size. This should be a better reading experience on mobile than with [[./app_ttrss.html][tt-rss]].
A disadvantage is that you can only add or remove feeds via the Freedombone administrator control panel, so this isn't suitable for multi-user environments. But once you have your feeds set up it's trivial to use, and unless you publish the onion address confidentiality should be maintained.
* Installation
ssh into the system with:
#+BEGIN_SRC bash
ssh myusername@mydomain.com -p 2222
#+END_SRC
Select *Administrator controls* then *Add/Remove Apps* then *smolrss*.
After installation within *Administrator controls* go to *App settings* then *smolrss*. You can then add some feeds or edit the existing feed list. There are a few default feeds as an example.
Within *Administrator controls* go to *About this system* and select *smolrss*. You will then have the onion address. Navigate to your reader in a Tor compatible browser. You may need to allow the site within NoScript. Then select a feed from the list and begin reading. That's all there is to it.
Syncthing provides a similar capability to proprietary systems such as Dropbox, and also is well suited for use with low power single board computers. You can have one or more directories which are synchronized across your various laptops/desktops/devices, and this makes it hard for you to ever lose important files. The manner in which the synchronization is done is pretty secure, such that it would be difficult for passive adversaries (mass surveillance, "/men in the middle/", etc) to know what files you're sharing. Of course, you don't necessarily need to be running a server in order to use Syncthing, but if you do have a server which is always running then there's always at least one place to synchronize your files to or from.
@ -44,24 +39,25 @@ In another terminal log into Freedombone:
Select *Show device ID* and copy the long string of letters and numbers shown, using the shift key then select the text followed by right click then select copy.
Open a non-Tor browser and enter *http://127.0.0.1:8384* as the URL. You should now see the minimalistic user interface. Under *Remote Devices* select *Add Remote Device*. In the *Device ID* field paste the string you just copied (CTRL+v). The Device name can be anything. Under *Share Folders with Device* check *default* (or whatever folder you created on your local machine), then save.
#+BEGIN_CENTER
#+attr_html: :width 50% :align center
[[file:images/syncthing_browser.jpg]]
#+END_CENTER
From the top menu select *Actions* and then *Show ID*, then copy the ID string (usually select then CTRL+c). Go back to the terminal control panel menu and select *Add an ID* then paste what you just copied (CTRL+v). Optionally you can also provide a description so that you later can know what that string corresponds to.
Now wait for a few minutes. Eventually you will see two messages appear within the browser asking if you want to add two new folders from the Freedombone server. Say yes to both, and specify *~/Sync* as the directory with your username and *~/SyncShared* as the shared directory. You can now copy files into your *~/Sync* directory and they will automatically be synced to the server. Those will be files which only you can access. If you copy files into *~/SyncShared* then they will also be available to any other users on the system.
* Desktop app
If you're running Arch/Parabola there is a package called [[https://github.com/syncthing/syncthing-gtk][syncthing-gtk]] which provides a GTK GUI and an icon indicating whether synchronization is happening. This can be more convenient than using the browser interface.
This is a robust system for encrypted file storage on one or more servers. Files are accessed via a URL which contains the public key with which it was encrypted.
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *tahoelafs*. This system is entirely based upon use of onion addresses and so no other domain names are needed.
* Initial setup
Get the login password for your Tahoe-LAFS system by going to *Passwords* on the *Administrator control panel* and selecting *tahoelafs*.
Go to the *About* screen on the *Administrator control panel* and look for the onion address for *tahoelafs* within the list of domains. Enter that into a Tor compatible browser. along with your username and the tahoelafs password. You can then use the interface to upload files and obtain URLs for them. The URL contains the public key needed to decrypt the file.
* Adding more servers
You can add more servers to the system to increase its storage capacity. In a typical Tahoe-LAFS new data storage servers are automatically discovered via an introducer node, but that creates a single centralised point of failure. The installation on Freedombone has no introducer node and so details for the servers of your friends need to be entered manually.
Other servers will typically be Freedombone systems with Tahoe-LAFS installed. Your Tahoe-LAFS server settings can be found on the *About* screen of the *Administrator control panel*. Use an end-to-end encrypted chat app to copy and paste those details and send them to other friends. To add the server details go to *App settings* on the *Administrator control panel* then select *tahoelafs* and *Add server*.
Tox is an encrypted peer-to-peer messaging system and so should work without Freedombone. It uses a system of nodes which act as a sort of directory service allowing users to find and connect to each other. The Tox node ID on the Freedombone can be found within *App Settings* under *tox* within the *Administrator control panel*. If you have other users connect to your node then you will be able to continue chatting even when no other nodes are available.
@ -27,6 +22,5 @@ ssh myusername@mydomain -p 2222
Then from the menu select *Run an app* followed by *tox*. Tox is encrypted by default and also routed through Tor, so it should be reasonably secure both in terms of message content and metadata.
"/Now is a very important time in history. Every aspect of our lives is moving into the digital world faster than we realize. We use apps like Dropbox or Evernote because of their convenience, but in doing so we sacrifice our privacy. What data isn't sold to advertisers or stolen by hackers is carved up by government surveillance./"
#+end_quote
Turtl is a system for privately creating and sharing notes and images, similar to Evernote. It can be set up so that a small number of users on the server can share their notes in a convenient way. It doesn't have any web user interface, and you need to install native clients on mobile or laptop/desktop machines.
Since the data at rest is stored in PGP encrypted format this is a good system to use in cases where security really is a critical factor.
#+attr_html: :width 50% :align center
[[file:images/turtl.jpg]]
* Installation
Log into your system with:
#+begin_src bash
ssh myusername@mydomain -p 2222
#+end_src
Using cursor keys and Enter key select *Administrator controls* and type in your password.
Select *Add/Remove Apps* then *turtl*. You will then be asked for a domain name and if you are using FreeDNS also the code for the domain which can be found under *Dynamic DNS* on the FreeDNS site (the random string from "/quick cron example/" which appears after /update.php?/ and before />>/). For more details on obtaining a domain and making it accessible via dynamic DNS see the [[./faq.html][FAQ]]. Typically the domain name you use will be a subdomain, such as /notes.mydomainname.net/. It will need to be a domain which you have bought somewhere and own and not one of the FreeDNS subdomains, otherwise you won't be able to get a SSL/TLS certificate for it.
After the install has completed go to *Security settings* and select *Create a new Let's Encrypt certificate* and enter the domain name that you are using for Turtl. If you're using the "onion only" version of the system then you don't need to do this. If the certificate is obtained successfully then you will see a congratulations message.
* Initial setup
The most common use case will be with Android devices. The Android app isn't currently available within F-droid (see [[https://turtlapp.com/faq][the FAQ]] for details) but can be [[https://turtlapp.com/download/][downloaded from the Turtl site]].
Run the downloaded native app then at the bottom of the screen select *advanced settings* and enter your turl domain name, then register a new account. The password can be anything you choose, but since the client side encryption depends upon having a good password make it a long random string generated by a password manager such as KeepassX.
You should then be able to log in and start using the app. You might also want to invite any other users of your Freedombone system to also sign up using the turtl domain name which you specified during installation.
* Locking it down
Once you have created accounts it's a good idea to turn off new turtl signups. This will prevent millions of random users on the interwebs from creating accounts on your system and killing your server, or possibly other nefarious security scenarios. Go to the *administrator control panel* and select *App Settings* then *turtl*. You will then be able to disable new user registrations and also set the data storage limit for users. If you need additional users later you can always temporarily re-enable signups.
"/The Net interprets censorship as damage and routes around it./" -- John Gilmore
#+end_quote
A Virtual Private Network (VPN) allows you to move your internet traffic to a different machine in a different geographical location by creating a private cryptographically protected route to that location. The usual use cases are to get around local censorship of the internet such as when you see the message "/this content is not available in your area/" when trying to play a video. Maybe you're on holiday and your hotel or workplace internet connection is censored. Using a VPN you can connect to your home server and then use the internet normally.
Using a Tor browser is another way to get around censorship, but there might be occasions where you don't want to use a Tor browser or where Tor relays and bridges are blocked or where you want to run internet apps which aren't within a browser.
On Freedombone the VPN is wrapped within a TLS layer of encryption, making it difficult for any deep packet inspection systems to know whether you are using a VPN or not. Since there is lots of TLS traffic on the internet your connection looks like any other TLS connection to a server, and this may help to avoid being censored. It's probably not possible for your local ISP to block TLS traffic without immediately generating a lot of irate customers, and stopping any kind of commercial activity.
* Installation
ssh into the system with:
#+BEGIN_SRC bash
ssh myusername@mydomainname -p 2222
#+END_SRC
Select *Administrator controls* then *Add/Remove apps* then *vpn*. Choose the port which you want the VPN to operate on and then the install will continue.
Only use ports 443 or 80 for VPN as an /absolute last resort/, since doing so will prevent other web based apps from running on your server.
* Usage
When the installation is complete you can download your VPN keys and configuration files onto your local machine.
You will need to ensure that the /openvpn/ and /stunnel/ packages are installed. On an Arch based system:
#+begin_src bash
sudo pacman -S openvpn stunnel4
#+end_src
Or on a Debian based system:
#+begin_src bash
sudo apt-get install openvpn stunnel4
#+end_src
Now you can connect to your VPN with:
#+begin_src bash
sudo stunnel stunnel-client.conf
sudo openvpn client.ovpn
#+end_src
You should see a series of messages with "/Initialization Sequence Completed/" showing at the end. Leave the terminal open and perhaps minimize it to remain connected to the VPN. To leave the VPN close the terminal window.
* Changing port number
Avoiding censorship can be a cat and mouse game, and so if the port you're using for VPN gets blocked then you may want to change it.
#+BEGIN_SRC bash
ssh myusername@mydomainname -p 2222
#+END_SRC
Select *Administrator controls* then *App Settings* then *vpn*. Choose *Change TLS port* and enter a new port value. You can then either manually change the port within your VPN configuration files, or download them again as described in the [[Usage]] section above.
* Generating new keys
It's possible that your VPN keys might get lost or compromised on your local machine. If that happens you can generate new ones from the *Administrator controls* by going to *App Settings* then *vpn* then choosing *Regenerate keys for a user* and downloading the new keys as described in the [[Usage]] section above.
Most people know XMPP as "/Jabber/" and it's sometimes regarded and an old protocol once used by Google and Facebook but which is no longer relevant. However, it still works and if appropriately configured, as it is on Freedombone, can provide the best chat messaging security currently available.
@ -22,6 +17,8 @@ With regard to chat apps you might have read a lot of stuff about /end-to-end se
A well written article on the state of XMPP and how it compares to other chat protocols [[https://gultsch.de/xmpp_2016.html][can be found here]].
* Using with Profanity
You can install the [[./app_profanity.html][profanity app]] via *Add/remove apps* on the *Administrator control panel*. Logging in and then selecting *Run App* and *profanity* will start it.
* Using with Gajim
In mid 2016 [[https://gajim.org/][Gajim]] became the first desktop XMPP client to support the [[https://en.wikipedia.org/wiki/OMEMO][OMEMO end-to-end security standard]], which is superior to the more traditional [[https://en.wikipedia.org/wiki/Off-the-Record_Messaging][OTR]] since it also includes multi-user chat and the ratcheting mechanism pioneered by Open Whisper Systems. To install it:
@ -40,6 +37,8 @@ Open Gajim and enter your XMPP address and password.
Go to *Edit/Preferences* and select the *Advanced* tab. Under *Global Proxy* select *Tor* and the *Close* button. Then select *Edit/Plugins* and make sure that OMEMO is active (ticked), then select the *Close* button.
Go to *Edit/Accounts*, select your account then the *Connection* tab. Ensure that *Use custom hostname/port* is checked and enter your onion address there as the hostname (it can be found on the /About/ screen of the administrator control panel). Using the onion address will give you better protection against correlation attacks within the Tor network. Also under *Proxy* select *Tor*.
When you start a conversation make sure that the OMEMO box is ticked. You can also click on the keys button and trust various fingerprints. Both sides will need to do that before an encrypted chat can start.
If you wish to make backups of the OMEMO keys then they can be found within:
@ -50,59 +49,6 @@ If you wish to make backups of the OMEMO keys then they can be found within:
If you wish to use OpenPGP to encrypt your messages then go to *Edit/Accounts*, select your account and then the *Personal Information* tab. You can then choose your GPG key. When initiating a chat you can select the *Advanced* button and then select *Toggle OpenPGP Encryption*. OpenPGP is not as secure as OMEMO, but does allow you to use XMPP in a similar style to email in that the recipient of the message does not necessarily need to be online at the same time that you send it.
* Using with Profanity
The [[https://profanity.im][Profanity]] shell based user interface and is perhaps the simplest way to use XMPP from a laptop. It's also a good way to ensure that your OTR keys are the same even when logging in from different laptops or devices, and it also means that if those devices later become compomised then there are no locally stored OTR keys to be found.
#+BEGIN_SRC bash
ssh username@domain -p 2222
#+END_SRC
Then select XMPP. Generate an [[https://en.wikipedia.org/wiki/Off-the-Record_Messaging][OTR]] key with:
#+BEGIN_SRC bash
/otr gen
#+END_SRC
Then to start a conversation using OTR:
#+BEGIN_SRC bash
/otr start otherusername@otheruserdomain
#+END_SRC
or if you're already in an insecure chat with someone just use:
#+BEGIN_SRC bash
/otr start
#+END_SRC
Set a security question and answer:
#+BEGIN_SRC bash
/otr question "What is the name of your best friends rabbit?" fiffi
#+END_SRC
On the other side the user can enter:
#+BEGIN_SRC bash
/otr answer fiffi
#+END_SRC
For the most paranoid you can also obtain your fingerprint:
#+BEGIN_SRC bash
/otr myfp
#+END_SRC
and quote that. If they quote theirs back you can check it with:
#+BEGIN_SRC bash
/otr theirfp
#+END_SRC
If the fingerprints match then you can be pretty confident that unless you have been socially engineered via the question and answer you probably are talking to who you think you are, and that it will be difficult for mass surveillance systems to know the content of the conversation. For more details see [[https://www.profanity.im/otr.html][this guide]]
When accessed via the user control panel the client is automatically routed through Tor and so if you are also using OTR then this provides protection for both message content and metadata.
* Using with Jitsi
Jitsi can be downloaded from https://jitsi.org
@ -125,9 +71,6 @@ Enter your username (username@domainname) and password.
Click on *Advanced* and make sure that *Encryption required* and *Ignore SSL certificate errors* are checked. Ignoring the certificate errors will allow you to use the self-signed certificate created earlier. Then click *Done* and set your Jabber account and Empathy to *On*.
* Using Tor Messenger
Tor Messenger is a messaging client which supports XMPP, and its onion routing enables you to protect the metadata of chat interactions to some extent by making it difficult for an adversary to know which server is talking to which. You can download Tor Messenger from [[https://torproject.org][torproject.org]] and the setup is pretty simple.
* Using with Android/Conversations
Install [[https://f-droid.org/][F-Droid]]
@ -147,3 +90,5 @@ Port: 5222
#+END_SRC
Then select *Next*. When chatting you can use the lock icon to encrypt your conversation. OMEMO is the recommended type of encryption. It's also going through Tor, so passive surveillance of the metadata should not be easy for an adversary.
It's also recommended to disable battery optimisations for Conversations and Orbot. If you don't do that then you may have trouble receiving messages or some parts of the protocol may break. That can be done by going to *Settings*, selecting *Battery* then opening the menu (top right) and selecting *Battery optimisations* then selecting *Not optimised* and *All apps*, then finally choosing Conversations and Orbot not to be optimised.
"/In times of aggressive corporatization, increasing enclosure of communication spaces, and blanket surveillance, emancipatory communication practices appear to be particularly well suited to offer concrete alternatives to activists and citizens alike/" -- Stefania Milan
#+end_quote
The base install of the system just contains an email server and Mutt client, but not much else. In addition from within the *Administrator control panel* under *Add/remove apps* the following are installable. This list only applies on the home server version, with the mesh network version having a different and smaller set of apps.
A web based accounts system for small businesses or freelancers.
[[./app_akaunting.html][How to use it]]
* BDS Mail
It's like ordinary email, but with [[https://en.wikipedia.org/wiki/I2P][i2p]] as the transport mechanism.
[[./app_bdsmail.html][How to use it]]
* Bludit
This is a simple databaseless blogging system which uses markdown files. It should run well on any hardware.
[[./app_bludit.html][How to use it]]
* CryptPad
Collaborate on editing documents, presentations and source code, or vote on things. All with a good level of security.
[[./app_cryptpad.html][How to use it]]
* Datserver
Seed dat protocol files from your server to make them always accessible.
[[./app_datserver.html][How to use it]]
* DLNA
Enables you to use the system as a music server which any DLNA compatible devices can connect to within your home network.
@ -28,20 +46,30 @@ Enables you to use the system as a music server which any DLNA compatible device
A databaseless wiki system.
[[./app_dokuwiki.html][How to use it]]
* Edith
Extremely simple and distraction-free notes system.
[[./app_edith.html][How to use it]]
* Emacs
If you use the Mutt client to read your email then this will set it up to use emacs for composing new mail.
[[./app_emacs.html][How to use it]]
* Email Server
Since many apps require email registration an email server is installed by default. You can find advice on using the email system [[./usage_email.html][here]].
* Etherpad
Collaborate on creating documents in real time. Maybe you're planning a holiday with other family members or creating documentation for a Free Software project along with other volunteers. Etherpad is hard to beat for simplicity and speed. Only users of the system will be able to access it.
[[./app_etherpad.html][How to use it]]
*Ghost
Modern looking blogging system.
*Federated wiki
A new approach to creating wiki content.
[[./app_ghost.html][How to use it]]
[[./app_fedwiki.html][How to use it]]
* Friendica
Federated social network system.
[[./app_friendica.html][How to use it]]
* GNU Social
Federated social network. You can "/remote follow/" other users within the GNU Social federation.
Federated social network based on the OStatus protocol. You can "/remote follow/" other users within the GNU Social federation.
[[./app_gnusocial.html][How to use it]]
* Gogs
@ -56,6 +84,10 @@ Databaseless blogging system. Quite simple and with a markdown-like format.
Web publishing platform with social network like features and good privacy controls so that it's possible to specify who can see which content. Includes photo albums, calendar, wiki and file storage.
[[./app_hubzilla.html][How to use it]]
* Icecast media stream
Make your own internet radio station.
[[./app_icecast.html][How to use it]]
* IRC Server (ngirc)
Run your own IRC chat channel which can be secured with a password and accessible via an onion address. A bouncer is included so that you can receive messages sent while you were offline. Works with Hexchat and other popular clients.
@ -63,6 +95,18 @@ Run your own IRC chat channel which can be secured with a password and accessibl
* Jitsi Meet
Experimental WebRTC video conferencing system, similar to Google Hangouts. This may not be fully functional, but is hoped to be in the near future.
* KanBoard
A simple kanban system for managing projects or TODO lists.
[[./app_kanboard.html][How to use it]]
* Key Server
An OpenPGP key server for storing and retrieving GPG public keys.
[[./app_keyserver.html][How to use it]]
* Koel
Access your music collection from any internet connected device.
[[./app_koel.html][How to use it]]
* Lychee
Make your photo albums available on the web.
@ -71,38 +115,94 @@ Make your photo albums available on the web.
Modern email client which supports GPG encryption.
[[./app_mailpile.html][How to use it]]
* Matrix
Multi-user chat with some security and moderation controls.
[[./app_matrix.html][How to use it]]
* Mediagoblin
Publicly host video and audio files so that you don't need to use YouTube/Vimeo/etc.
[[./app_mediagoblin.html][How to use it]]
* Mumble
The popular VoIP and text chat system. Say goodbye to old-fashioned telephony conferences with silly dial codes. Also works well on mobile.
[[./app_mumble.html][How to use it]]
* NextCloud
Store files on your server and sync them with laptops or mobile devices. Includes many plugins including videoconferencing and collaborative document editing.
[[./app_nextcloud.html][How to use it]]
* PeerTube
Peer-to-peer video hosting. Similar to Mediagoblin, but the P2P aspect better enables the streaming load to be shared across servers.
[[./app_peertube.html][How to use it]]
* PI-Hole
The black hole for web adverts. Block adverts at the domain name level within your local network. It can significantly reduce bandwidth, speed up page load times and protect your systems from being tracked by spyware.
[[./app_pihole.html][How to use it]]
* Pleroma
Fediverse instance which is compatible with GNU Social and Mastodon, and suited for systems without much RAM or CPU resource.
[[./app_pleroma.html][How to use it]]
* PostActiv
An alternative federated social networking system compatible with GNU Social. It includes some optimisations and fixes currently not available within the main GNU Social project.
An alternative federated social networking system compatible with GNU Social, Pleroma and Mastodon. It includes some optimisations and fixes currently not available within the main GNU Social project.
[[./app_postactiv.html][How to use it]]
*Radicale
Calendar system compatible with CalDAV and CardDAV. Synch your calendar events easily and securely across all your devices.
*PrivateBin
A pastebin where the server has zero knowledge of the content being pasted.
[[./app_radicale.html][How to use it]]
*tt-rss
Private RSS reader. Pulls in RSS/Atom feeds via Tor and is only accessible via an onion address. Have "/the right to read/" without the Surveillance State knowing what you're reading. Also available with a user interface suitable for viewing on mobile devices via a browser such as OrFox.
[[./app_privatebin.html][How to use it]]
*Profanity
A shell based XMPP client which you can run on the Freedombone server via ssh.
[[./app_rss.html][How to use it]]
[[./app_profanity.html][How to use it]]
* Riot Web
A browser based user interface for the Matrix federated communications system, including WebRTC audio and video chat.
[[./app_riot.html][How to use it]]
* Rocketchat
A non-federated chat server (x86 systems only).
[[./app_rocketchat.html][How to use it]]
* SearX
A metasearch engine for customised and private web searches.
[[./app_searx.html][How to use it]]
* Smol RSS
A very minimal RSS reader.
[[./app_smolrss.html][How to use it]]
* Syncthing
Possibly the best way to synchronise files across all of your devices. Once it has been set up it "just works" with no user intervention needed.
[[./app_syncthing.html][How to use it]]
* tt-rss
Private RSS reader. Pulls in RSS/Atom feeds via Tor and is only accessible via an onion address. Have "/the right to read/" without the Surveillance State knowing what you're reading. Also available with a user interface suitable for viewing on mobile devices via a browser such as OrFox.
[[./app_rss.html][How to use it]]
* Tahoe-LAFS
Robust and encrypted storage of files on one or more server.
[[./app_tahoelafs.html][How to use it]]
* Tox
Client and bootstrap node for the Tox chat/VoIP system.
[[./app_tox.html][How to use it]]
* Turtl
A system for privately creating and sharing notes and images, similar to Evernote but without the spying.
[[./app_turtl.html][How to use it]]
* Vim
If you use the Mutt client to read your email then this will set it up to use vim for composing new mail.
* Virtual Private Network (VPN)
Set up a VPN on your server so that you can bypass local internet censorship.
[[./app_vpn.html][How to use it]]
* XMPP
Chat server which can be used together with client such as Gajim or Conversations to provide end-to-end content security and also onion routed metadata security. Includes advanced features such as /client state notification/ to save battery power on your mobile devices, support for seamless roaming between networks and /message carbons/ so that you can receive the same messages while being simultaneously logged in to your account on more than one device.
"/we are the music makers, we are the dreamers of dreams. cyberpunks and pirates. chaotic spectres haunting cyberspace. engineers, artists, hackers./"
#+end_quote
If you have a single board ARM computer which isn't one of the supported ones then you can probably still install Freedombone onto it if it has a [[https://www.armbian.com/download/][Debian Stretch Armbian image]] available for it.
Download the Armbian image for your board. It must be version 9 (Stretch), otherwise it won't work. Extract the image from its archive, then copy it to a microSD card:
Where */dev/sdX* is the path for the microSD drive on your system.
When that's done use a tool such as *Gparted* to resize the partition on the microSD card to fill up any remaining available space.
Insert the microSD drive into your ARM board, connect it to your internet router with an ethernet cable and plug in the power.
The board should then show up somewhere on your local network. You can log into your internet router to see what devices are connected and obtain the local IP address for the board that way, or use a network scanning tool.
Once you know the local IP address of your ARM board then you can log into it with:
#+begin_src bash
ssh root@[local IP address]
#+end_src
Using the default Armbian password of *1234*. You should see the Armbian welcome message and will be asked to change the password, then create a new user account.
#+attr_html: :width 80% :align center
[[file:images/armbian_setup.jpg]]
When the user account is created type *exit* to leave the ssh session then log back in with your new user account.
#+begin_src bash
ssh myusername@[local IP address]
#+end_src
Become the root user:
#+begin_src bash
sudo su
#+end_src
Then clone the Freedombone repository and checkout the stretch development branch.
If you can't obtain a copy of the source code from *code.freedombone.net* (maybe the server is down) then you may still be able to obtain it with:
#+begin_src bash
dat clone dat://e9cbf606e55cdaa85199f4e6ec25ff7456775389979a668b3faf33e057493f8e/
cd e9cbf606e55cdaa85199f4e6ec25ff7456775389979a668b3faf33e057493f8e
tar -xzvf freedombone.tar.gz
cd freedombone
git checkout stretch
#+end_src
Install the Freedombone commands:
#+begin_src bash
make install
#+end_src
And now you can begin installing the Freedombone system. There are two ways of doing this. If you already own a domain name which you want to use then run:
#+begin_src bash
freedombone menuconfig
#+end_src
Alternatively, if you don't own a domain name, don't have administrator access to your internet router or if you want to be able to access your sites only via onion addresses then run:
#+begin_src bash
freedombone menuconfig-onion
#+end_src
You will then be taken through a few questions and the system will install. Afterwards you'll be able to log into your system with:
#+begin_src bash
ssh myusername@freedombone.local -p 2222
#+end_src
Then select *Administrator options*. If you chose the first install option using a domain name then go to *Show Firewall* and make sure that the ports shown are forwarded from your internet router to your ARM board.
You can then [[./apps.html][add or remove apps]] as needed.
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
@ -68,7 +63,7 @@ Enter the LUKS password for the USB drive. When the restore is complete you can
* Distributed/remote backups
Distributed backups are a better way of ensuring the persistence of your data, such that even if your system gets stolen or destroyed then the data will still be recoverable from your friends. Since the backups are encrypted your friends (or anyone else with access to their systems) won't be able to read your backed up content even if their systems are subsequently compromised.
Firstly you will need to have a user account on one or more of your friends servers. They don't necessarily need to be using Freedombone, just some version of GNU/Linux with ssh access. They can create a user account for you with the control panel on a Freedombone system or with the *adduser <username>* command on any other system when logged in as root and then give you the username and password via a secure method, such as on paper, via an encrypted email, Tox or via an XMPP chat using OTR. Make sure that the password used is a strong one - preferably a long random string stored in a password manager - so that dictionary attacks will not be easy. Also for maximum resilience put your password manager file onto a USB thumb drive and carry it with you.
Firstly you will need to have a user account on one or more of your friends servers. They don't necessarily need to be using Freedombone, just some version of GNU/Linux with ssh access. They can create a user account for you with the control panel on a Freedombone system or with the *adduser <username>* command on any other system when logged in as root and then give you the username and password via a secure method, such as on paper, via an encrypted email, Tox or via an XMPP chat using OpenPGP/OMEMO. Make sure that the password used is a strong one - preferably a long random string stored in a password manager - so that dictionary attacks will not be easy. Also for maximum resilience put your password manager file onto a USB thumb drive and carry it with you.
<h1>Installing Freedombone on a Beaglebone Black</h1>
</center>
#+END_EXPORT
* Installing Freedombone on a Beaglebone Black
The Beaglebone Black is small, cheap, a fully open hardware design, has a hardware random number generator and consumes very little electrical power, making it suitable for all kinds of uses.
The Beaglebone Black is small, cheap, a fully open hardware design, has a hardware random number generator and consumes very little electrical power, making it suitable for all kinds of uses. There is also a wireless version.
You can easily use one to run your own internet services from home.
#+BEGIN_CENTER
[[file:images/bbb_above.jpg]]
#+END_CENTER
#+attr_html: :width 50% :align center
[[file:images/bbb_board.jpg]]
You will need:
* A Beaglebone Black. The exact revision of the hardware isn't very important, but it should have an ethernet socket.
* Optionally a plastic or metal case to protect the electronics.
* An ethernet cable. Typically these are colour coded either blue or yellow. Either colour will do.
* An ethernet cable. Typically these are colour coded either blue or yellow. Either colour will do. If you're using the Wireless version of the Beaglebone Black then you don't need this.
* Either a 5v power supply with 5.5mm barrel plug, or a miniUSB type B cable (typically supplied with the Beaglebone) and USB to mains adaptor.
* A microSD card at least 8 gigabytes in size. In tests Sandisk class 10 works well. Prefer smaller but faster I/O rating to larger but slower.
* A microSD card adaptor for your laptop or desktop system, so that you can copy the disk image to the card.
You may need to obtain a domain name and set up a dynamic DNS account for your new Freedombone server. Details on how to do that [[./domains.html][can be found here]].
On your laptop or desktop prepare a microSD card image as follows. To create an image on a Debian based system:
If you can't obtain a copy of the source code from *code.freedombone.net* (maybe the server is down) then you may still be able to obtain it with:
#+begin_src bash
dat clone dat://e9cbf606e55cdaa85199f4e6ec25ff7456775389979a668b3faf33e057493f8e/
cd e9cbf606e55cdaa85199f4e6ec25ff7456775389979a668b3faf33e057493f8e
tar -xzvf freedombone.tar.gz
cd freedombone
git checkout stretch
#+end_src
#+attr_html: :width 80% :align center
[[file:images/microsd_reader.jpg]]
#+END_CENTER
If you own a domain name and have it linked to a dynamic DNS account (eg. [[https://freedns.afraid.org][freeDNS]]) and want to make a system accessible via an ordinary browser then run:
Onion addresses have the advantage of being difficult to censor and you don't need to buy a domain or have a dynamic DNS account. An onion based system also means you don't need to think about NAT traversal type issues.
Onion addresses have the advantage of being difficult to censor and you don't need to buy a domain or have a dynamic DNS account. An onion based system also means you don't need to think about NAT traversal type issues. This *does not* mean that everything gets routed through Tor, it just means that the sites for apps which you install will be available through Tor's address system.
Connect the power and ethernet cable and plug it into your internet router.
#+BEGIN_CENTER
#+attr_html: :width 80% :align center
[[file:images/bbb_back.jpg]]
#+END_CENTER
Now follow the [[./homeserver.html][instructions given here to copy the image to the microSD drive]] beginning with running the /freedombone-client/ command. Wherever it says "USB drive" substitute "microSD drive". When the microSD drive is ready plug it into the front of the Beaglebone. The photo below also includes an Atheros wifi USB dongle plugged into the front, but that's not necessary unless you want to set up the system to run on a wifi network.
#+BEGIN_CENTER
#+attr_html: :width 80% :align center
[[file:images/bbb_front.jpg]]
#+END_CENTER
Connect the power and for the non-wireless versions of the Beaglebone Black also connect the ethernet cable and plug it into your internet router.
Now power cycle by removing the power plug and then inserting it again. It should boot from the microSD drive and you should see the blue LEDs on the board flashing. If they don't fash at all for a few minutes then try copying the image to the microSD card again.
Follow the rest of the [[./homeserver.html][instructions given here]] to log in via ssh and install the system. The microSD drive /should remain inside the Beaglebone/ and not be removed. This will be its main drive, with the internal EMMC not being used at all.
Follow the rest of the [[./homeserver.html][instructions given here]] to log in via ssh and install the system. The microSD drive /should remain inside the Beaglebone/ and not be removed. This will be its main drive, with the internal EMMC not being used at all. For the Beaglebone Black Wireless ssh back in on the usual 192.168.7.2 address with the USB cable connected so that your wifi login parameters can be set.
There are many apps available within the Freedombone system and trying to install them all is probably not a good idea, since this hardware is very resource constrained on CPU and especially on RAM. If the system seems to be becoming unstable and crashing then the most likely cause is running out of RAM, in which case you can try uninstalling some apps. It is possible to monitor RAM usage by logging in with ssh, exiting to the command line and then running the /top/ command.
The following ARM boards are supported by the build system. If your board isn't listed here then you may still be able to install Freedombone using [[./armbian.html][Armbian]].
- beaglebone
- cubieboard2
- cubietruck
- pcduino3
- a20-olinuxino-lime
- a20-olinuxino-lime2
- a20-olinuxino-micro
- Lemaker Banana Pro
The latest image builds are obtainable with [[https://datproject.org/][dat]] and can be [[./downloads/images.txt][found here]].
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
Freedombone is really just a couple of [[https://www.gnu.org/software/bash][bash]] scripts which install and configure software on a Debian GNU/Linux system. If you're a system administrator, software engineer or Linux hobbyist you'll probably be familiar with command line scripting and be able to make your own modifications or custom variants to suit your needs. Freedombone is licensed under the [[https://www.gnu.org/licenses/agpl.html][GNU Affero General Public License version 3]] (or later).
You can find the source code for this project [[https://github.com/bashrc/freedombone][on Github]].
You can find the source code for this project on [[https://code.freedombone.net/bashrc/freedombone][code.freedombone.net]].
Bugs or feature requests should be [[https://github.com/bashrc/freedombone/issues][entered here]].
*Why Github?*
Github is closed source. Sooner or later it will probably turn evil or become like Sourceforge - which in the distant past was also once the darling of open source developers but has long since fallen from grace. The biggest reason to use Github is just the number of eyeballs there and the easy discoverability of projects.
Longer term it is expected that the source code for this project will also be self-hosted, with Github acting only as a mirror to increase visibility.
Bugs or feature requests should be [[https://code.freedombone.net/bashrc/freedombone/issues][entered here]].
In any Free Software project with more than one participant inevitably there may be people with whom you may disagree, or find it difficult to cooperate. Accept that, but even so, remain respectful. Disagreement is no excuse for poor behaviour or personal attacks, and a community in which people feel threatened is not a healthy community.
* Assume good faith
Freedombone Contributors have many ways of reaching our common goal of providing freedom respecting internet or mesh systems which may differ from your ways. Assume that other people are working towards this goal.
* Be collaborative
Freedombone is a moderately complex project, though nothing big and professional like GNU. It's good to ask for help when you need it. Similarly, offers for help should be seen in the context of our shared goal of improving the system.
When you make something for the benefit of the project, be willing to explain to others how it works, so that they can build on your work to make it even better.
* Try to be concise
If you're submitting documentation then keep in mind that what you write once could be read by many other people. To avoid TL;DR keep it as short and concise as possible. This will also reduce the amount of translations effort needed.
If you're discussing an issue or bug, try to stay on topic, especially in discussions that are already fairly large.
* Be open
Most ways of communication used within Freedombone (eg Matrix/XMPP) allow for public and private communication. Prefer public methods of communication for Freedombone-related messages, unless posting something sensitive.
This applies to messages for help, too; not only is a public support request much more likely to result in an answer to your question, it also makes sure that any inadvertent mistakes made by people answering your question will be more easily detected and corrected.
* No spamming
Posting of adverts or other off-topic content in Matrix/XMPP or other public systems used by the project will be considered a violation of the code of conduct.
* Respect others’ privacy
No stalking, unwanted personal attention, or unwelcome revealing or speculating about personal details of others.
In cases of sincere, good-faith curiosity about someone’s experience or identity, ask politely in a manner such that they will feel free to decline the request.
* No hostile communication
No insults, harassment (sexual or otherwise), condescension, ad hominem, threats, or other intimidation.
Condescension means treating others as inferior. Subtle condescension still violates the Code of Conduct even if not blatantly demeaning.
No stereotyping of or promoting prejudice or discrimination against particular groups or classes of people.
In cases where criticism of ideology or culture remains on-topic, respectfully discuss the ideas.
* In case of problems
While this code of conduct should be adhered to by participants, we recognize that sometimes people may have a bad day, or be unaware of some of the guidelines in this code of conduct. When that happens, you may reply to them and point out this code of conduct. Such messages may be in public or in private, whatever is most appropriate. However, regardless of whether the message is public or not, it should still adhere to the relevant parts of this code of conduct; in particular, it should not be abusive or disrespectful. Assume good faith; it is more likely that participants are unaware of their bad behaviour than that they intentionally try to degrade the quality of the discussion.
Serious or persistent offenders will be kicked from chat rooms and any of their subsequent patches will be unlikely to be upstreamed. In this context "serious" means that someone is causing others to feel unsafe or be unable to contribute, for whatever reason.
This is not a big project and so there is no division of labor or special enforcement committee or bureaucratic process. Complaints should be made (in private) to the maintainer or chat room admin. The typical email address can be found in the source code headers. Preferably use GPG if you can, or XMPP with OpenPGP/OMEMO to bob@freedombone.net. XMPP messages are likely to get a quicker response.
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
You can access the main menu by logging into the system.
#+BEGIN_SRC bash
ssh myusername@mydomain -p 2222
#+END_SRC
Then selecting /Administrator controls/.
It should look like this:
#+BEGIN_CENTER
[[file:images/controlpanel/control_panel.jpg]]
#+END_CENTER
To select anythng on the control panel use the *up and down* cursor keys and *space bar* to tag, then press *Enter*.
* User control panel
When a user initially logs in they will see a version of the control panel with restricted options aimed at the kinds of things which someone who isn't the administrator might wish to do. An expected scenario is that you might have a few friends or family members on the system, and this is who this menu is intended for.
From this menu checking email or running chat applications is very easy, and they are configured in a safe manner without the user needing to do anything special. Email uses *mutt*, XMPP uses *profanity* and IRC uses *irssi*.
#+BEGIN_CENTER
[[./images/controlpanel/control_panel_user.jpg]]
#+END_CENTER
It's also possible for the user to define email filtering rules, add a ssh public key for key based login and also add or remove GPG public keys. They can also do this via the commandline if they prefer, but the menu system may provide an easier user interface.
* About screen
To find out your current domain names select the About screen from the main menu. This is especially useful for finding your onion addresses. For improved security by compartmentalisation, and also simpler implementation, each application has its own onion address.
You can also see the SIP extension numbers for each user and how much disk space each user is consuming (typically this corresponds with email use).
The Local Mirrors contains mirrored copies of the git repositories used by the system. If they don't have access to default repositories (mostly Github) then you can give these details to other users and then they can set their main repository such that they can pull from your system. Obviously any users doing this need to trust that you havn't modified the mirrored repositories in any way.
* Email filtering rules
You can add users to mailing lists, or block particular email addresses or subject lines in this menu.
You can view the current IRC password or change it from here. Currently the IRC server does not work equally well on clrearnet and via Tor, so there is an option to switch from one to the other. Initially the IRC server will be running on clearnet (i.e. no onion routing).
It's possible to add playable media to a USB drive and plug it into the system, then make it accessible to other devices such as tablets or phones on your local network via DLNA.
If you don't want to use the default repositories, or don't have access to them, then you can obtain them from another Freedombone server (the details can be found on the other server on the *About* screen of the control panel).
If you need to generate SSL/TLS certificates or change cypher details due to changing recommendations then you can do that here. If you are changing cypher details be extra careful not to make mistakes/typos, which could reduce the security of your system.
"/The antagonism of surveillance is not privacy but the making of communities in struggle/"
-- Arun Kundnani
#+END_QUOTE
Although the image builder supports a variety of architectures there may still be some which aren't supported. These especially include systems which have a proprietary boot blob, such as the Raspberry Pi boards.
It's still possible to install the system onto these unsupported devices if you need to. First you'll need to ensure that you have *Debian Stretch* installed and can get ssh access to the system. Then either via ssh, or directly on the target device in the case of an old laptop or netbook:
The installation process will then begin. Depending upon the hardware you're installing onto and your internet connection speed it may take quite a while to install.
Once installed you can then log in from another system with:
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
Freedombone consists of a set of bash scripts. There are a lot of them, but they're not very complicated. If you're familiar with the GNU/Linux commandline and can hack a bash script then you can probably add a new app or fix a bug in the system. There are no trendy development frameworks to learn or to get in your way.
* Community Statement
This project doesn't require you to take any special pledge of allegiance or subscribe to any guru's list of commandments. It does not care about your gender, race, national flag or political alignment. It is agnostic towards your religion or lack thereof. It doesn't give one hoot as to whether you are young or old, rich or poor, gay, trans, straight or just "other". It does not care if you like your eggs sunny side up or if you are a vegan.
This is an inclusive project which will take patches or pull requests from anyone, in a generous manner along the lines described by the late Pieter Hintjens in his book /Social Architecture/. Any useful patch is likely to be merged so long as it is submitted under a license compatible with AGPL3. Copyright assignment is not required.
Freedombone is a free system. That's free as in no secret source. For anything. Although there's nothing to stop you from adding proprietary utilities or apps if you wish, any patches containing closed stuff or which create dependencies upon closed systems will be regarded as trash and ignored.
This project also has a no bullshit policy. Anyone trying to cause a ruckus by trolling or engaging in behavior which is disruptive or disrespectful to others will be speedily blocked and ignored. Life's too short, and there's too much to be done.
Freedombone consists of a set of bash scripts. There are a lot of them, but they're not very complicated. If you're familiar with the GNU/Linux commandline and can hack a bash script then you can probably add a new app or fix a bug in the system. There are no trendy development frameworks to learn or to get in your way. You might also want to consult the [[./codeofconduct.html][Code of Conduct]], and there is a Matrix room at *#fbone:matrix.freedombone.net*
* Adding extra apps
Suppose you have some internet application which you want to add to the system. To do this you need to create an app script which tells the system how to install/remove and also backup/restore. The script should be designed to work with the current stable version of Debian.
On an installed system the app scripts go into the directory:
There's a command which you can use to generate scripts for new apps. Some examples are as follows:
To create a script for a generic PHP plus MySql/MariaDB web app with a couple of extra packages:
The /myappname/ value should not contain any spaces and will appear in the list of available apps.
An example template for an app script is shown below. Copy this and add whatever variables and configuration you need. Search and replace /myappname/ with your own.
For a Python app with Postgresql database:
#+begin_src bash
#!/bin/bash
# Copyright (C) Year YourName <YourEmail>
#
# This program is free software: you can redistribute it
# and/or modify it under the terms of the GNU Affero General
# Public License as published by the Free Software Foundation,
# either version 3 of the License, or (at your option) any
# later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
# 'full' includes your app in the full installation and you
# can also add other variants, separated by spaces. The
# available variants will be detected automatically from the
# app scripts. In most cases don't change this.
VARIANTS='full'
# If you want this to appear on the control panel About screen
SHOW_ON_ABOUT=1
# If you want this app to be in the default installation,
# otherwise it will be available but not selected by default
IN_DEFAULT_INSTALL=1
SOME_IMPORTANT_CONFIG_VARIABLE='some important value'
Select *Add/Remove Apps* and if all is well then you should see your app listed as installable. Test that installing and removing it works as expected.
A generic PHP plus MySql/MariaDB web app which is only available on an onion address:
Submit your working app to *https://github.com/bashrc/freedombone/issues*
The template command won't give you a fully working app, but it will give you a big head start and avoid a lot of potential mistakes. It's highly likely that you'll still need to add extra configuration for your particular app, especially within the *install_app* function.
When your new script is ready for testing you can install it with:
#+begin_src bash
make install
#+end_src
Then run the administrator control panel and you should see the new app within *Add/Remove apps*.
Submit your working app to *https://code.freedombone.net/bashrc/freedombone/issues*, create a pull request or if you don't have an account there you can send patches via email to bob@freedombone.net.
* Customising mesh images
If you want to make your own specially branded version of the mesh images, such as for a particular event, then to change the default desktop backgrounds edit the images within *img/backgrounds* and to change the available avatars and desktop icons edit the images within *img/avatars*. Re-create disk images using the instructions shown previously.
If you need particular /dconf/ commands to alter desktop appearance or behavior then see the function /mesh_client_startup_applications/ within *src/freedombone-image-customise*.
If you want your sites or chat systems to be available via an ordinary web browser (i.e. not a Tor browser) then you'll need to obtain a domain name. The domain name system is ultimately controlled by ICANN and to obtain a domain name for which you can also get a TLS certificate you'll need to buy one. There are various sites which sell domain names, and fortunately they can often be quite cheap - especially if you can think of an obscure name for your site. Prefer sites where the domain name subscription can be automatically renewed, because otherwise trolls can quickly buy your domain when it expires and then hold it for ransom. If you're planning to self-host for more than an ephemeral purpose, such as a conference or festival, then choose the longest subscription period you can afford (typically a few years).
You probably only need one ICANN domain name and then the various Freedombone apps you might want can be set up on subdomains, such as /blog.mydomainname.net/.
* Dynamic DNS
You will also need a dynamic DNS account, and again this might be something you have to pay a subscription for. Your Freedombone system will have a local network address (typically 192.168.x.y or 10.x.y.z) and also a public IP address assigned by your ISP. Your ISP will change your public IP address every so often (that's why it's called "dynamic") and so there needs to be some way to link the domain name which you've obtained to your changing public IP address. That's what the dynamic DNS service does.
/Starting to think that this sounds like a rather shaky system which would would be not too difficult for an adversary to disrupt - especially if they get cosy with ICANN or the dynamic DNS provider? You'd be right. But moving swiftly past that man behind a curtain.../
In simple terms what happens is that on a regular basis the Freedombone system will ping the dynamic DNS service and say "/this is my current public IP address/", so that the mapping between domain name and IP address can be maintained.
The dynamic DNS service will have their own DNS servers maintaining the IP address mappings and so on the web site where you registered your domain name you will need to specify the servers of the your dynamic DNS account. Look for an option such as "/change nameservers/" or "/custom nameservers/", remove any names which might already be there and then add the servers used by the dynamic DNS service. For example, if you're using FreeDNS then these servers would be:
#+begin_src text
NS1.AFRAID.ORG
NS2.AFRAID.ORG
NS3.AFRAID.ORG
NS4.AFRAID.ORG
#+end_src
It might take a few minutes for the changes to take effect, so don't be too hasty to conclude that it doesn't work.
** Configuring with FreeDNS
If you are using FreeDNS as a dynamic DNS provider then on their site select "/Domains/" and add your domain name (this might only be available to paid subscribers). Make sure that they're marked as "/private/" so that subdomains of your domain name are not used by other users of the site.
Select "Subdomains" from the menu on the left then select the MX entry for your domain and change the destination to *10:mydomainname* rather than *10:mail.mydomainname*.
* Setting up with Freedombone
When you start the base installation of the system it will ask you to choose a dynamic DNS provider and then enter the login details for the dynamic DNS service.
* A note about Tor
If you only want your sites to be available via Tor then none of the above is needed and you can access your sites and systems via their onion addresses. Tor has its own naming system which is independent from ICANN, and you also won't need TLS/SSL certificates since it also manages transport encryption itself. When building disk images use the *--onion yes* option, or choose one of the ready made onion disk images [[./downloads][from downloads]].
/Possible options for dealing with bulk surveillance at The Glass Room exhibition, 2017/
#+BEGIN_CENTER
#+ATTR_HTML: :border -1
| [[What applications are supported?]] |
| [[I don't have a static IP address. Can I still install this system?]] |
| [[Why Freedombone and not FreedomBox?]] |
| [[Why not support building images for Raspberry Pi?]] |
| [[Why use Tor? I've heard it's used by bad people]] |
| [[Why use Github?]] |
| [[Keys and emails should not be stored on servers. Why do you do that?]] |
| [[./mirrors.html][I have a question about mirrors or upstream repositories]] |
| [[Why can't I access my .onion site with a Tor browser?]] |
| [[What is the best hardware to run this system on?]] |
| [[Can I add more users to the system?]] |
| [[Why not use Signal for mobile chat?]] |
| [[What is the most secure chat app to use on mobile?]] |
| [[How do I remove a user from the system?]] |
| [[Why is logging for web sites turned off by default?]] |
| [[How do I reset the tripwire?]] |
| [[Is metadata protected?]] |
| [[How do I create email processing rules?]] |
| [[Why isn't dynamic DNS working?]] |
| [[How do I change my encryption settings?]] |
| [[How do I get a domain name?]] |
| [[How do I get a "real" SSL/TLS/HTTPS certificate?]] |
| [[How do I renew a Let's Encrypt certificate?]] |
| [[I tried to renew a Let's Encrypt certificate and it failed. What should I do?]] |
| [[Why use self-signed certificates?]] |
| [[Why not use the services of $company instead? They took the Seppuku pledge]] |
| [[Why does my email keep getting rejected as spam by Gmail/etc?]] |
| [[Does this project have a Code of Conduct?]] |
| [[What applications are supported?]] |
| [[I don't have a static IP address. Can I still install this system?]] |
| [[What are the best microSD cards to use?]] |
| [[On a single board computer can I boot from an external SSD or hard drive?]] |
| [[Why Freedombone and not FreedomBox?]] |
| [[Why not support building images for Raspberry Pi?]] |
| [[Why use Tor? I've heard it's used by bad people]] |
| [[How is Tor integrated with Freedombone?]] |
| [[Can I add a clearnet domain to an onion build?]] |
| [[What are the data protection implications of running this system?]] |
| [[After using nmap or other scanning tool I can no longer log in]] |
| [[Should I upload my GPG keys to keybase.io?]] |
| [[Keys and emails should not be stored on servers. Why do you do that?]] |
| [[Why can't I access my .onion site with a Tor browser?]] |
| [[What is the best hardware to run this system on?]] |
| [[Can I add more users to the system?]] |
| [[Why not use Signal for mobile chat?]] |
| [[What is the most secure chat app to use on mobile?]] |
| [[How do I remove a user from the system?]] |
| [[Why is logging for web sites turned off by default?]] |
| [[How do I reset the tripwire?]] |
| [[Is metadata protected?]] |
| [[How do I create email processing rules?]] |
| [[Why isn't dynamic DNS working?]] |
| [[How do I change my encryption settings?]] |
| [[How do I get a domain name?]] |
| [[How do I renew a Let's Encrypt certificate?]] |
| [[I tried to renew a Let's Encrypt certificate and it failed. What should I do?]] |
| [[Why not use the services of $company instead? They took the Seppuku pledge]] |
| [[Why does my email keep getting rejected as spam by Gmail/etc?]] |
| [[Tor is censored/blocked in my area. What can I do?]] |
| [[I want to block a particular domain from getting its content into my social network sites]] |
| [[The mesh system doesn't boot from USB drive]] |
| [[Mesh system doesn't connect to the network]] |
#+END_CENTER
* Does this project have a Code of Conduct?
Yes. It can be [[./codeofconduct.html][found here]].
* What applications are supported?
* *Email* - Server and Mutt client configured for use with GPG and Emacs or Vim
* *DLNA* - Play music on your local network devices
* *Dokuwiki* - Databaseless wiki
* *GNU Social* - Federated social network and resource sharing system
* *Gogs* - Host your git projects
* *qTox* - Chat and VoIP client on mesh networks
* *HTMLy* - Databaseless blogging system
* *Pelican* - Static blogging system used on mesh networks
* *Hubzilla* - Federated social networking and web publishing
* *IRC server*
* *Obnam* - Encrypted backups to USB or to other servers
* *Mumble* - VoIP and text chat
* *pi-hole* - Block internet ads on your local network
* *tt-rss* - Accessible via an onion address to give you /the right to read/ from any device
* *sipwitch* - Telephony system
* *Syncthing* - File sync
* *IPFS* - For accessing sites on a mesh network
* *Toxcore/Toxic* - Bootstrap node and client
* *XMPP server* - Including XEPs needed to support the Conversations Android app with OMEMO
* *Shell based web browser* - if all else fails then ssh to your server and browse from there
[[./apps.html][See here]] for the complete list of apps. In addition to those as part of the base install you get an email server.
* I don't have a static IP address. Can I still install this system?
Yes. The minimum requirements are to have some hardware that you can install Debian onto and also that you have administrator access to your internet router so that you can forward ports to the system which has Freedombone installed.
The lack of a static IP address can be worked around by using a dynamic DNS service. Freedombone uses [[https://troglobit.com/inadyn.html][inadyn]] , which supports a variety of dynamic DNS providers.
* What are the best microSD cards to use?
There can be big differences in the performance of microSD cards, and the cheaper ones are almost invariably terrible and/or unusable. Sandisk and Samsung currently appear to be the better brands. You can find some performance benchmarks [[http://www.pidramble.com/wiki/benchmarks/microsd-cards][here]]. However, benchmarks like this only give a very rough idea of performance and they can vary significantly between individual cards even within the same brand.
If you're struggling to get good performance out of your microSD card then you might want to consider running from a SATA drive or SSD instead. Some boards such as Cubieboard and Olinuxino have SATA sockets such that you can connect an SSD. It doesn't have to be high cost and the smallest SSD you can find will probably be enough. It's then possible to build an image with the *--sata* option or download one of the pre-built ones and copy it both to the microSD and SATA drive. SSD drives can give a 10x performance improvement over just using a microSD card.
* On a single board computer can I boot from an external SSD or hard drive?
Some single board computers, such as Cubieboards or OLinuxino, have a SATA socket on them which enables an external drive to be connected. This is usually intended for extra file storage, but it is also possible to run the operating system from an external drive. This can have the advantage of significantly increasing the read/write performance and your apps will appear to run more quickly.
Typically a microSD read speed is 10-30MB/s. An SSD or hard drive can be 100MB/s or more, so that's a big potential gain.
Single board computers usually don't have the capability of booting directly from an external drive, but what you can do is boot from a partition on a microSD drive, which then runs the main filesystem (the rootfs) from the external drive.
To create an image suitable for running from an SSD or hard drive use the --sata option, such as:
#+BEGIN_SRC bash
freedombone-image -t cubieboard2 --sata sda2
#+END_SRC
Note that the sata option should be set to point to the second partition on the drive, which is normally sda2.
When the image is created then use the dd command to copy it both to a microSD card and to the SSD or hard drive. Plug them both into the board and it should then boot and use the external drive.
* Why Freedombone and not FreedomBox?
When the project began in late 2013 the FreedomBox project seemed to be going nowhere, and was only designed to work with the DreamPlug hardware. There was some new hardware out - the Beaglebone Black - which could run Debian and was also a free hardware design so seemed more appropriate. Hence the name "Freedombone", being like FreedomBox but on a Beaglebone. There are some similarities and differences between the two projects:
@ -84,7 +95,7 @@ When the project began in late 2013 the FreedomBox project seemed to be going no
- Both projects include wiki, blog, VoIP and file sync
- Both projects enable easy installation and removal of apps
- Both are typically "bare metal" rather than running as VMs or containers
- Both currently are hosted on Github
- Both can use the companion app for Android
** Differences
- FreedomBox is a Debian pure blend. Freedombone is not
- Freedombone only supports Free Software. FreedomBox includes some closed binary boot blobs for certain ARM boards
@ -100,21 +111,42 @@ The FreedomBox project supports Raspberry Pi builds, and the image build system
So although the Raspberry Pi is cheap and hugely popular it's not supported by the Freedombone project. Perhaps future versions of the Pi won't have the proprietary blob requirement, or maybe the blob will be open sourced at some stage.
* Why use Tor? I've heard it's used by bad people
Before you run screaming for the hills based upon whatever scare story you may have just read in the mainstream media there are a few things worthy of consideration. Tor is installed by default on Freedombone, /but not as a relay or exit node/. It's only used to provide onion addresses so that this gives you or the viewers of your sites some choice about how they access the information. It also allows you to subscribe to and read RSS feeds privately.
Years ago Tor was usually depicted in the mainstream media as something scary inhabited by cyberterrorists and other bad cybers, but today to a large extent Tor is accepted as just another way of routing data in a network. Depending upon where you live there may still be some amount of fearmongering about Tor, but it now seems clear that the trajectory is towards general acceptance.
Onion routing - which is what Tor provides - gives you some level of protection against bulk surveillance of metadata. These days governments and other organisations are in the business of collecting and analysing your metadata. They want to have comprehensive lists of which sites you visited, or who visited your sites. Tor may at least partially help to thwart their totalitarian ambitions to know everything about everyone all of the time.
Tor and its onion addresses, previously called hidden addresses, have a few key advantages:
Tor is not a perfect system and is not fully decentralised. Like all software it has bugs, but it can be considered to probably be an effective tactic against some of the most egregious surveillance fanatics out there.
* NAT traversal
* Firewall traversal
* Avoiding the domain name system (DNS), which is mostly centralized and not secure
* Avoiding passive bulk surveillance in which governments try to find out who is communicating with who
The media may also have sold you torrid tales about individual Tor project developers. While the conduct of individuals does matter, what matters far more is whether the technical system works and is practical for the average user. Don't allow your opinions of the technical system to be deflected by transient sex scandals or oppressive moralising, and /don't hold anyone to standards higher than you would apply to yourself/.
* Why use Github?
Github is paradoxically a centralized, closed and proprietary system which happens to mostly host free and open source projects. Up until now it has been relatively benign, but at some point in the name of "growth" it will likely start becoming more evil, or just become like SourceForge - which was also once much loved by FOSS developers, but turned into a den of malvertizing.
On the negative side it's a complex system which is not fully decentralized.
*How is Tor integrated with Freedombone?
Within this project Tor is used more to provide /accessibility/ than the /anonymity/ factor for which Tor is better known. The onion address system provides a way of being able to access sites even if you don't own a conventional domain name or don't have administrator access to your local internet router to be able to do port forwarding.
At present Github is useful just because of the sheer number of eyeballs and the easy discoverability of projects via search.
Tor is installed by default, but it's not configured as a relay or exit node. From the administrator control panel you can optionally set up a Tor bridge, but this is only for adverse situations and not usually advisable.
The source code for this project is experimentally independently hosted, and it is expected that in future the main development will shift over to an independent site, maybe with mirrors on Github if it still exists in a viable form.
When you install an app you will be able to access it from its onion address.
Currently many of the repositories used for applications which are not yet packaged for Debian are on Github, and to provide some degree of resilliance against depending too much upon that it's possible to use [[./mirrors.html][mirrors stored on another server]].
Even if you're running the "onion only" build, this only means that sites are accessible via onion addresses. It doesn't mean that everything gets routed through Tor. If full anonymity is your aim then it's probably a good idea to just stick strictly to using TAILS.
* Can I add a clearnet domain to an onion build?
You could if you manually edited the relevant nginx configuration files and installed some dynamic DNS system yourself. If you already have sysadmin knowledge then that's probably not too hard. But the builds created with the *onion-addresses-only* option aren't really intended to support access via clearnet domains.
* What are the data protection implications of running this system?
Data protection laws such as [[https://en.wikipedia.org/wiki/General_Data_Protection_Regulation][GDPR]] in the EU or the [[https://en.wikipedia.org/wiki/Data_Protection_Act_1998][Data Protection Act]] in the UK usually only apply to formal organizations which are recognized as being legal entities. So you have to be running a business or a charity or some other formal organization in order for the storage of what's known as /personally identifying information/ to potentially become a legal issue. Laws like this usually include:
* A right to obtain your information
* A right to be forgotten (i.e. to have your data permanently deleted)
* Ensuring that stored personal data remains accurate
If you're self-hosting then in the language of data protection law the "/data controller/" and the "/data subject/" are one and the same, so there isn't any power differential of that sort. Freedombone is only intended for small numbers of users, so if you are hosting more than one person chances are that you know the others quite well and can arrange to update their data or delete their account if that's needed. Even if data protection laws are later extended to include home server type scenarios it's unlikely that this will become a problem.
For the mesh version similar applies. Each peer stores their own personal data and it never gets aggregated and stored in any centralized way.
* After using nmap or other scanning tool I can no longer log in
This system tries to block port scanners. Any other system trying to scan for open ports will have their IP address added to a temporary block list for 24 hours.
* Should I upload my GPG keys to keybase.io?
It's not recommended unless there exists some compelling reason for you to be on there. That site asks users to upload the *private keys*, and even if the keys are client side encrypted with a passphrase there's always the chance that there will be a data leak in future and letter agencies will then have a full time opportunity to crack the passphrases.
Saying something resembling "/only noobs will use crackable private key passphrases/" isn't good enough. A passphrase should not be considered to be a substitute for a private key.
* Keys and emails should not be stored on servers. Why do you do that?
Ordinarily this is good advice. However, the threat model for a device in your home is different from the one for a generic server in a massive warehouse. Compare and contrast:
@ -138,7 +170,7 @@ It was originally designed to run on the Beaglebone Black, but that should be re
/Out of fashion/ but still working computer hardware tends to be cheap and readily available, yet still good for providing internet services.
* Can I add more users to the system?
Yes. Freedombone can support a small number of users, for a "/friends and family/" type of home installation. This gives them access to an email account, XMPP, SIP phone and the blog (depending on whether the variant which you installed includes those).
Yes. Freedombone can support a small number of users, for a "/friends and family/" type of home installation. This gives them access to an email account, XMPP, VoIP, NextCloud and possibly other apps which have been installed.
#+begin_src bash
ssh username@mydomainname -p 2222
@ -154,10 +186,11 @@ Celebrities recommend Signal. It's Free Software so it must be good, right?
If you are currently using a proprietary chat app, something without any encryption or something /really bad/ such as Telegram, then Signal is definitely a step up in terms of security. But Signal has problems, which can be summarised as:
* *It uses phone numbers*. Phone numbers are used for Signal's initial verification, and they can of course be intercepted or faked. Plus it means that Open Whisper Systems keeps a list of phone numbers on its centralised server for its /"X has joined Signal"/ notification. Even if they're hashed, they're still unique identifiers and [[https://en.wikipedia.org/wiki/Rainbow_table][rainbow tables]] for the phone number system probably exist. Phone numbers are convenient for some users, but are also a non-trivial security risk. If you're using Signal then consider what it knows about who your contacts are, where that data is located and who else might have access to that. Consider what might happen if an adversary gets to know your mobile number.
* *It's based on a single server* run by Open Whisper Systems. That's a single point of failure and ought to be a big red flag (of the sporting rather than the socialist variety) as a possible locus for concentrated nefariousness.
* *It requires the installation of Google Play*. If you already have Google Play installed on a stock Android OS then this doesn't increase your security problems, but for other more secure Android variants it's a massive increase in attack surface.
* *It requires the installation of Google Play*. If you already have Google Play installed on a stock Android OS then this doesn't increase your security problems, but for other more secure Android variants it's a massive increase in attack surface. There is a separate apk available for download, but it won't receive updates and the hash shown on the site often doesn't match.
* *It depends entirely upon the Google message pushing system*. That means that Google /at least knows who Signal messages are being sent to and may be able to infer the rest via your (insecure) Android phone contact list or via timing correlation of alternating deliveries/. Remember that for an adversary metadata in aggregate is much better than having the content of messages. At any time Google could decide that it doesn't want to support Signal, or in adverse circumstances they could be leaned upon by the usual agencies or government cronies.
* *Their privacy policy indicates that they will give whatever server data they have to third parties* under some conditions. Of course this is always claimed to be /for the very best of reasons/ - such as combating fraud - but once that sort of disclosure capability exists it may be abused without you ever knowing about it.
* *Their privacy policy indicates that they will give whatever server data they have to third parties* under some conditions. Of course this is always claimed to be /for the very best of reasons/ - such as combating fraud - but once that sort of disclosure capability exists it may be abused without you ever knowing about it. Consider how difficult, or not, it may be for a government to reverse engineer a database of hashed telephone numbers.
* *Forking isn't really an option*. A fork was tried, but Moxie got annoyed when it still used his server. At the same time the level of interest in federating the server is not detectable with our best intrumentation, and is suspected to be negative. That's a catch 22 which effectively means that independent implementations of Signal will always leave some users unable to communicate with each other.
To give credit where it's due Signal is good, but it could be a lot better. The real solution for private chat is to run your own XMPP server, as you can with Freedombone, or to have someone within your community do that. /There is no substitute for a decentralised solution which is within the control of your community/.
@ -188,7 +221,7 @@ The tripwire will be automatically reset once per week. If you want to reset it
ssh username@mydomain -p 2222
#+end_src
Select /Administrator controls/ then "reset tripwire" using cursors and space bar then enter.
Select /Administrator controls/ then /Security settings/ then /reset tripwire/.
* Is metadata protected?
#+BEGIN_QUOTE
"/We kill people based on metadata/"
@ -275,16 +308,6 @@ service exim4 restart
You should now be able to send an email from /postmaster@mynewdomainname/ and it should arrive in your inbox.
* How do I get a "real" SSL/TLS/HTTPS certificate?
If you did the full install or selected the social variant then the system will have tried to obtain a Let's Encrypt certificate automatically during the install process. If this failed for any reason, or if you have created a new site which you need a certificate for then do the following:
#+begin_src bash
ssh username@mydomainname -p 2222
#+end_src
Select /Administrator controls/ then *Security settings* then *Create a new Let's Encrypt certificate*.
One thing to be aware of is that Let's Encrypt doesn't support many dynamic DNS subdomains, such as those from freeDNS, so to run Hubzilla and GNU Social you will need to have your own official domains for those. There are many sites from which you can buy cheap domain names, and while this isn't ideal in terms of making you dependent upon another company it's the only option currently.
* How do I renew a Let's Encrypt certificate?
Normally certificates will be automatically renewed once per month, so you don't need to be concerned about it. If anything goes wrong with the automatic renewal then you should receive a warning email.
Select /Administrator controls/ then *Security settings* then *Create a new Let's Encrypt certificate*.
* Why use self-signed certificates?
Almost everywhere on the web you will read that self-signed certificates are worthless. They bring up /scary-scary looking/ browser warnings and gurus will advise you not to use them. Self-signed certificates are quite useful though. What the scary warnings mean - and it would be good if they explained this more clearly - is that you have an encrypted connection established but there is /no certainty about who that connection is with/. They probably will protect the content of your communications from passive bulk interception - such as the tapping of under-sea cables.
The current strategy on this system is to typically create self-signed certificates during the initial installation but also to have the ability to easily convert those to LetsEncrypt certificates via the security settings on the administrator control panel.
You might say, /"but surely LetsEncrypt is a single point of failure!"/, and you'd be right. Maybe at some point in future LetsEncrypt is no longer a thing, or no longer considered sufficiently secure. That's why building in total dependence upon one organisation is a bad idea, and it's still possible to have self-signed certs as a fallback option.
* Why not use the services of $company instead? They took the Seppuku pledge
[[https://cryptostorm.org/viewtopic.php?f=63&t=2954&sid=7de2d1e699cfde2f574e6a7f6ea5a173][That pledge]] is utterly worthless. Years ago people trusted Google in the same sort of way, because they promised not be be evil and because a lot of the engineers working for them seemed like honest types who were "/on our side/". Post-[[https://en.wikipedia.org/wiki/Nymwars][nymwars]] and post-[[https://en.wikipedia.org/wiki/PRISM_%28surveillance_program%29][PRISM]] we know exactly how much Google cared about the privacy and security of its users. But Google is only one particular example. In general don't trust pledges made by companies, even if the people running them seem really sincere.
* Why does my email keep getting rejected as spam by Gmail/etc?
@ -328,9 +344,34 @@ This may work, at least when using Mutt, and admittedly if it does then it's a c
The current arrangement with email blocking works well for the big internet companies because it effectively centralises email to a few well-known brand names and keeps any independent servers out, or creates dependencies like the one just described in which you become a second class citizen of the internet.
So the situation with email presently is pretty bad, and there's a clear selection pressure against decentralization and towards only a few companies controlling all email services. Longer term the solution is to have more secure protocols which make spamming hard or expensive.
* Tor is censored/blocked in my area. What can I do?
If you can find some details for an obfs4 Tor bridge (its IP address, port number and key or nickname) then you can set up the system to use it to connect to the Tor network. Unlike relay nodes the IP addresses for bridges are not public information and so can't be easily known and added to block lists by authoritarian regimes or over-zealous ISPs.
#+BEGIN_EXPORT html
<center>
Return to the <a href="index.html">home page</a>
</center>
#+END_EXPORT
ssh into your Freedombone system, go to the *administrator control panel*, select *security settings* then *Tor Bridges* and *Add a bridge*. You can then enter the details.
Any bridges that you add will also show up on the About screen of the administrator control panel.
You can also set your system to act as a Tor bridge, although this is not recommended since in most cases you will have a dynamic external IP address. If you need to help someone get around local censorship temporarily though this could be an option.
* I want to block a particular domain from getting its content into my social network sites
If you're being pestered by some domain which contains bad/illegal/harrassing content or irritating users you can block domains at the firewall level. Go to the administrator control panel and select /domain blocking/. You can then block, unblock and view the list of blocked domains.
#+begin_src
ssh username@domainname -p 2222
#+end_src
Select /Administrator controls/ then /Domain blocking/.
* The mesh system doesn't boot from USB drive
If the system doesn't boot and reports an error which includes */dev/mapper/loop0p1* then reboot with *Ctrl-Alt-Del* and when you see the grub menu press *e* and manually change */dev/mapper/loop0p1* to */dev/sdb1*, then press *Ctrl-x*. If that doesn't work then reboot and try */dev/sdc1* instead.
After the system has booted successfully the problem should resolve itself on subsequent reboots.
* Mesh system doesn't connect to the network
Sometimes after boot the mesh system won't connect to other peers on the network. If this happens select the *network restart* icon and enter the password, which by default is just "freedombone". Wait for a few minutes to see if it connects.
Some things you might want to know about the Fediverse:
* Federation as a concept
The political definition of a federation is "/a union of partially self-governing states or regions under a central (federal) government/". The fediverse isn't exactly like that, in that there is no federal government. However there are protocols which govern the communication between instances and that might be analogized to being a sort of elementary constitution or mutual agreement binding all participants together. The protocols are merely ways of moving data around though, and don't impose any sort of moral code.
* Keep the number of users on each server small
The importance of this can't be overstated. Servers with lots of users always eventually have problems where the interests of the users are not the same as the interests of the server administrator. If you are the server administrator, or if there are only a small squad-size group of people on the server, then it's a lot easier to resolve differences and everyone's interests are likely to be similar.
* Drama will happen
It's inevitable in any social network, but fortunately your options for dealing with it are better than they are in the giant proprietary monoliths. In the proprietary world Google or Facebook don't give a damn about the fate of individual users. On a server with a small number of users if you're getting griefed then the administrator is likely to care and be able to do something about it.
* Don't be afraid to block
Especially if other servers are publishing content which may not be legal in your jurisdiction then don't be afraid to use domain or user blocking from the *Administrator control panel*. The same applies if users on other servers are trying to harass you. Blocking creates politics and drama but _this is a feature not a bug_. It allows you to craft your own distinct community and user experience while also existing in the wider federation. It's hard to do this on sites like Twitter or Facebook. Try to keep blocking to a minimum though and avoid doing it for insubstantial reasons. If you have other users on your server then publish the blocked domains list somewhere they can see. That avoids disappointment and enables you to have a discussion about the validity of blocking decisions.
* Network structure maps on to social structure
Over time follows and blocking rules come to match the underlying social geography of affinity groups. Blocking will happen and users will move around or start new servers. Drama related to blocking will dissipate.
* Keep your follows under the Dunbar number
Keep the number of other frequently active users you're following to under a couple of hundred. Your actual number of follows might be larger than this but could include users who rarely post anything.
Once there are more than a couple of hundred highly active users in your timeline then you'll just be overwhelmed by irrelevant stuff and whatever community you may have been part of will be drowned in the entropy. There are no algorithmic timelines to hide posts, and even if they're introduced then they create their own problems as an opaque form of censorship. _Real community happens at tribal scale_. It's something which people often don't like to admit because they get fixated upon bigger and bigger numbers, but it definitely seems to be true.
* Avoid big public servers
It may seem like a good idea and it may seem like you're doing a service to the community by allowing random strangers to register, but servers with thousands of users only cause problems - social, administrative, financial and possibly also legal. The financial strain of running a powerful server with high reliability may be enough to encourage the administrator to begin pushing advertising onto the system, or sell user content, and then before you know it you have identical problems to Twitter. Instead try to encourage people to set up their own servers. Follow this principle and a lot of arguments and stress will be more easily avoided.
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
The quickest way to get started is as follows. You will need to be running a Debian based system (version 8 or later), have an old but still working laptop or netbook which you can use as a server, and 8GB or larger USB thumb drive and an ethernet cable to connect the laptop to your internet router.
First install freedombone onto your local system (not the target hardware that you want to run Freedombone on). On a debian based distro:
If you can't obtain a copy of the source code from *code.freedombone.net* (maybe the server is down) then you may still be able to obtain it with:
#+begin_src bash
dat clone dat://e9cbf606e55cdaa85199f4e6ec25ff7456775389979a668b3faf33e057493f8e/
cd e9cbf606e55cdaa85199f4e6ec25ff7456775389979a668b3faf33e057493f8e
tar -xzvf freedombone.tar.gz
cd freedombone
git checkout stretch
#+end_src
Now prepare your local system to talk to the freedombone by running the following command. This will set up avahi and create ssh keys if necessary.
@ -47,17 +54,17 @@ Now prepare your local system to talk to the freedombone by running the followin
freedombone-client
#+end_src
#+BEGIN_CENTER
#+attr_html: :width 80% :align center
[[file:images/tor_onion.jpg]]
#+END_CENTER
The version in which sites are available only via onion addresses is the easiest to get started with, since you can evaluate the system without committing to buying an ICANN domain name or needing to get involved with SSL/TLS certificates at all. However, if you do want your sites to be available typically as subdomains of a domain name which you own then remove the *--onion yes* option from the last command shown above.
The version in which sites are available only via onion addresses is the easiest to get started with, since you can evaluate the system without committing to buying an ICANN domain name or needing to get involved with SSL/TLS certificates at all. However, if you do want your sites to be available typically as subdomains of a domain name which you own then remove the *--onion-addresses-only yes* option from the last command shown above. Also see the [[./domains.html][guide on setting up an ICANN domain name]].
The *onion-addresses-only* option *does not* mean that everything gets routed through Tor. It's intended to provide accessible web apps with minimum fuss and without needing to buy a clearnet domain name or mess with forwarding ports. Using apps via their onion addresses may provide some degree of anonymity but it may not be perfect and anonymity isn't the aim of this system (if you want that then use [[https://tails.boum.org/][TAILS]]).
If you want to create images for microSD cards used within various single board computers then replace the *i386* with *beaglebone*/ *cubieboard2* /*cubietruck*/ *a20-olinuxino-lime* /*a20-olinuxino-lime2* / *a20-olinuxino-micro* or *apu*.
#+BEGIN_CENTER
#+attr_html: :width 80% :align center
[[file:images/beaglebone_black9.jpg]]
#+END_CENTER
This takes a while. Maybe an hour or so, depending on the speed of your system and the internets. The good news though is that once created you can use the resulting image any number of times, and you don't need to trust some pre-built image.
@ -72,7 +79,8 @@ Now plug in the USB thumb drive, and do the same again. Notice which drive lette
You can now copy the image to the USB thumb drive, replacing *sdX* with the identifier of the USB thumb drive. Don't include any numbers (so for example use *sdc* instead of *sdc1*).
And wait. Again it will take a while to copy over. When that's done plug it into the laptop or netbook which you want to use as a server, power on and set the BIOS to boot from the USB stick.
@ -104,9 +112,8 @@ freedombone-client --verify
This will show the hash code for the public ssh key of the Freedombone system.
#+BEGIN_CENTER
#+attr_html: :width 80% :align center
[[file:images/ssh_key_verify.jpg]]
#+END_CENTER
Open another terminal window then run:
@ -115,17 +122,15 @@ freedombone-client
ssh myusername@freedombone.local -p 2222
#+end_src
Use the password you wrote down earlier to log in. Select the *administrator control panel* with up and down cursor keys, space bar and enter key. You should see something like this, and you might need to re-enter your password.
Use the password you wrote down earlier to log in. Select the *administrator control panel* with up and down cursor keys and enter key. You should see something like this, and you might need to re-enter your password.
#+BEGIN_CENTER
#+attr_html: :width 80% :align center
[[file:images/controlpanel/control_panel.jpg]]
#+END_CENTER
Then select *About*. You'll see a list of sites and their onion addresses.
The About screen contains the ssh server public key hashes and you can compare the relevant one with the previous terminal window to verify that they're the same. If they're not then you might have a /machine-in-the-middle/ snooping on you.
@ -133,11 +138,10 @@ You have now confirmed a secure connection. Probably. If you're still sceptical
Press any key to exit from the About screen. You can then select *Add/Remove apps* and add whatever applications you wish to run. Note that some apps will only run on x86 systems, but most will install and run on ARM single board computers. More details on particular apps can be [[./apps.html][found here]].
Once your apps have installed you can go back to the About screen, pick an onion address and try it within a Tor compatible browser. You'll need to know the login passwords and those can be found within the /Passwords/ section of the administrator control panel. An axiom of the Freedombone system is that /if given the choice users will usually use insecure passwords/, so on this system passwords are generated randomly. If you need to then you can transfer the passwords into your favourite password manager and remove them from the server by going to the *Security Settings* section of the administrator control panel and choosing *Password storage*.
Once your apps have installed you can go back to the About screen, pick an onion address and try it within a Tor compatible browser. You'll need to know the login passwords and those can be found within the /Passwords/ section of the administrator control panel. An axiom of the Freedombone system is that /if given the choice users will usually use insecure passwords/, so on this system passwords are generated randomly. If you need to then you can transfer the passwords into your favourite password manager and remove them from the server by going to the *Security Settings* section of the administrator control panel and choosing *Export passwords* and *Password storage*.
*Congratulations! You have now become a citizen of the free internet.*
@ -149,6 +153,5 @@ Of course, this is just one way in which you can install the Freedombone system.
man freedombone-image
#+end_src
#+BEGIN_CENTER
This site can also be accessed via a Tor browser at http://2tp3f6vtvhkqpuc6.onion
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
"/With the increasing move of our computing to cloud infrastructures, we give up the control of our computing to the managers of those infrastructures. Our terminals (laptops, desktops) might now be running entirely on Free Software, but this is increasingly irrelevant given that most of what actually matters gets executed on a remote closed system that we don’t control. The Free Software community needs to work to help users keep the control of all their computing, by developing suitable alternatives and facilitating their deployment./"
#+attr_html: :align center :border 0 :cellpadding 15%
So you want to run your own internet services? Email, chat, VoIP, web sites, file synchronisation, wikis, blogs, social networks, media hosting, backups, VPN. Freedombone is a home server system which enables you to self-host all of these things.
So you want to run your own internet services? Email, chat, VoIP, web sites, file synchronisation, wikis, blogs, social networks, backups. Freedombone enables you to do all of that in a self-hosted way, where you keep control of your data and it resides in your own home.
You can run Freedombone on an old laptop or a single board computer. See the [[./installmethods.html][list of installation methods]]. You can also use it to [[./mesh.html][set up a mesh network]] in your local area.
[[./homeserver.html][Here's how]].
And here's how [[./beaglebone.html][on a Beaglebone Black]].
Want to make a community mesh network which doesn't depend upon the internet?
[[./mesh.html][You can do that too]].
After installation it's possible that you might want some advice on how to run your system and set up apps to work nicely with it.
* [[./apps.html][Apps available on the system]]
* [[./usage.html][General usage]]
* [[./faq.html][Frequently Asked Questions]]
If you find bugs, or want to add a new app to this system see the [[./devguide.html][Developers Guide]].
#+BEGIN_CENTER
This site can also be accessed via a Tor browser at http://2tp3f6vtvhkqpuc6.onion
Before installing Freedombone you will need a few things.
* Have some domains, or subdomains, registered with a dynamic DNS service. For the full install you may need two "official" purchased domains or be using a subdomain provider which is supported by Let's Encrypt.
* System with a new installation of Debian Jessie or a downloaded/prepared disk image
* System with a new installation of Debian Stretch or a downloaded/prepared disk image
* Ethernet connection between the system and your internet router
* That it is possible to forward ports from the internet router to the system, typically via firewall settings
* Have ssh access to the system, typically via fbone@freedombone.local on port 2222
@ -88,14 +84,15 @@ Before installing Freedombone you will need a few things.
There are three install options: Laptop/Desktop/Netbook, SBC and Virtual Machine.
** On a Laptop, Netbook or Desktop machine
If you have an existing system, such as an old laptop or netbook which you can leave running as a server, then install a new version of Debian Jessie onto it. During the Debian install you won't need the print server or the desktop environment, and unchecking those will reduce the attack surface. Once Debian enter the following commands:
If you have an existing system, such as an old laptop or netbook which you can leave running as a server, then install a new version of Debian Stretch onto it. During the Debian install you won't need the print server or the desktop environment, and unchecking those will reduce the attack surface. Once Debian enter the following commands:
Most people don't have a static external IP address, so you will need to have an account on a dymanic DNS service. [[https://freedns.afraid.org][FreeDNS]] is the one recommended, but others are available.
If you want systems to be available within an ordinary web browser, such as Firefox, then you will need to [[./domains.html][obtain a domain name]].
A list of other supported ARM boards [[./boards.html][can be found here]], or you can install onto an old laptop or netbook. Some installation instructions for different use cases are:
* [[./homeserver.html][Typical installation]]
* Installing [[./beaglebone.html][on a Beaglebone Black]]
* Installing on an [[./debianinstall.html][existing Debian system]]
* Installing [[./armbian.html][on Armbian]], for unsupported ARM boards such as Raspberry Pi
* Creating a dedicated [[./socialinstance.html][fediverse instance]] for a single user or to host a community
* Deploying a [[./mesh.html][mesh network]] which can operate with or without the internet
* [[./users.html][Adding or removing users]]
* [[./security.html][Improving security]]
* [[./mobile.html][Advice on setting up a mobile phone]]
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
The Freedombone Mesh is a wireless solution for autonomous or internet connected communication that can be rapidly deployed in temporary, emergency or post-disaster situations where internet access is unavailable or compromised.
* [[./mesh_images.html][Disk images and how to build them]]
* [[./mesh_custom.html][Customisation]]
* [[./mesh_usage.html][How to use it]]
Mesh networks are useful as a quick way to make a fully decentralised communications system which is not connected to or reliant upon the internet. Think festivals, hacker conferences, onboard ships at sea, disaster/war zones, small business internal office communications, protests, remote areas of the world, temporary "digital blackouts", scientific expeditions and off-world space colonies. The down side is that you can't access any internet content. The upside is that you can securely communicate with anyone on the local mesh. No ISPs. No payments or subscriptions beyond the cost of obtaining the hardware. Systems need to be within wifi range of each other for the mesh to be created. It can be an ultra-convenient way to do purely local communications.
#+attr_html: :width 100% :align center
[[file:images/mesh_desktop1.png]]
* What the system can do
Mesh networks are useful as a quick way to make a fully decentralised communications system which is not connected to or reliant upon the internet. Think festivals, hacker conferences, onboard ships at sea, disaster/war zones, small businesses who don't want the overhead of server maintenance, protests, remote areas of the world, temporary "digital blackouts", scientific expeditions and off-world space colonies.
- Discovery of other users on the network
- Text based chat, one-to-one and in groups
- Voice chat (VoIP)
- Private and public sharing of files
- Blogging
- No network administration required
- No servers, internet connection or cabling is needed.
- Works from bootable USB drives or microSD drives.
- Data is mesh routed between systems
- Private communications is end-to-end secured and forward secret.
- Publicly shared data is /content addressable/.
If an internet connection is available then it can make use of that, but otherwise it can still work regardless of whether the internet exists. So it's not dependent upon ISPs and additional infrastructure other than USB drives isn't required.
This system should be quite scalable. Both qTox and IPFS are based upon distributed hash tables (DHT) so that each peer does not need to store the full index of data for the entire network. Caching or pinning of IPFS data and its content addressability means that if a file or blog becomes popular then performance should improve as the number of downloads increases, which is the opposite of the client/server paradigm.
Systems only need to be within wifi range of each other for the mesh to be created, so it can be an very convenient way to create a local communications network.
* Disk Images
** Client images
Like [[https://libremesh.org][LibreMesh]], this system uses a combination of [[https://en.wikipedia.org/wiki/B.A.T.M.A.N.][batman-adv]] on network layer 2 and [[http://bmx6.net][BMX]] on layer 3. Routing protocols [[http://www.olsr.org][OLSR2]] and [[https://www.irif.fr/~jch/software/babel][Babel]] are also selectable.
#+BEGIN_CENTER
[[file:images/mesh_netbook.jpg]]
#+END_CENTER
"Client" isn't exactly the right term, but it's a mesh peer with a user interface. These images can be copied to a USB drive, then you can plug it into a laptop/netbook/desktop machine and boot from it. You will probably also need an Atheros USB wifi dongle (the black protruding object on the left side of the netbook in the picture above), because most built-in wifi usually requires proprietary firmware. In the commands below substitute /dev/sdX with the USB drive device, excluding any trailing numbers (eg. /dev/sdb). The USB drive you're copying to will need to be at least 8GB in size.
To get a number of systems onto the mesh repeat the /dd/ command to create however many bootable USB drives you need.
If you're in an emergency and don't have Atheros wifi dongles then there is also an "insecure" image which contains some proprietary wifi drivers which may work with a wider range of laptops. Proprietary drivers *are not recommended* because they're unsupportable and may be exploitable or contain malicious antifeatures which fundamentally compromise the security of the network. However, the trade-off between security/maintainability and simply having the ability to communicate at all may be a valid one in some situations.
Routers are intended to build network coverage for an area using small and low cost hardware. You can bolt them to walls or leave them on window ledges. They don't have any user interface and their only job is to haul network traffic across the mesh and to enable peers to find each other via running bootstrap nodes for Tox and IPFS. Copy the image to a microSD card and insert it into the router, plug in an Atheros wifi dongle and power on. That should be all you need to do.
*** Beaglebone Black
#+BEGIN_CENTER
[[file:images/mesh_router.jpg]]
#+END_CENTER
The above picture shows a Beaglebone Black with the image copied onto a microSD card (there's no need to do anything with the internal EMMC). A USB Atheros wifi adaptor with a large antenna is attached and in this case power is from the mains, although it could be from a battery or solar power system capable of supplying 5 volts and maybe 1A (depending upon how active the router is).
If you have a few Beaglebone Blacks to use as routers then repeat the /dd/ command to create however many microSD cards you need.
There is still a software freedom issue with the Beaglebone Black, but it doesn't prevent you from running a fully free system on the board. The TI AM335X SOC has a PowerVR SGX530 GPU which will only run with a proprietary blob, but this would only be an issue for systems with a monitor or LCD screen attached running a desktop environment which also needs GPU acceleration. For "headless" systems such as servers or mesh routers this isn't a problem.
* Building Disk Images
It's better not to trust images downloaded from random places on the interwebs. Chances are that unless you are in the web of trust of the above GPG signatures then they don't mean very much to you. If you actually want something trustworthy then build the images from scratch. It will take some time. Here's how to do it.
First you will need to create an image. On a Debian based system (tested on Debian Jessie and Trisquel 7):
If you don't have Atheros or free software compatible wifi adapter then you can include proprietary wifi drivers which will work with most laptops. This is *NOT RECOMMENDED* because proprietary drivers are unsupportable and may contain either malware or be exploitable in a way which can't be fixed. However, if you're in an emergency and don't have any Atheros or free software wifi USB dongles then you can use the following command to make the image:
This takes a while. Maybe an hour or so, depending on the speed of your system and the internets. The good news though is that once created you can use the resulting image any number of times, and you don't need to trust some pre-built image.
List what drives are on your system with:
#+begin_src bash
ls /dev/sd*
#+end_src
Now plug in the USB thumb drive, and do the same again. Notice which drive letter gets added.
You can now copy the image to the USB thumb drive, replacing *sdX* with the identifier of the USB thumb drive. Don't include any numbers (so for example use *sdc* instead of *sdc1*).
And wait. Again it will take a while to copy over. When that's done plug it into the laptop or netbook which you want to use on the mesh, power on and set the BIOS to boot from the USB stick.
On first boot you'll be asked to set a username, and then you can open the chat client and select the *users* icon to show the Tox IDs for other users on the mesh. When folks join they will be announced.
Rinse, repeat, for any number of laptops that you want to get onto the mesh or to build out coverage within an area. There are no servers. Just peer-to-peer communications routed through the network which are end-to-end secure after a friend request is accepted. By default the chat client doesn't log anything.
You can also use single board computers (SBCs) such as the BeagleBone Black to make mesh routers which can be bolted to walls or the sides of buildings and consume minimal electrical power, so could be solar or battery powered for short term events such as festivals. To do that use the following command to make the image:
#+begin_src bash
freedombone-image -t beaglebone -v mesh
#+end_src
The resulting image can be copied to a microSD card, inserted into a Beaglebone Black and booted. Don't forget to plug in an Atheros USB wifi dongle.
* Customisation
If you want to make your own specially branded version, such as for a particular event, then to change the default desktop backgrounds edit the images within *img/backgrounds* and to change the available avatars and desktop icons edit the images within *img/avatars*. Re-create disk images using the instructions shown previously.
If you need particular /dconf/ commands to alter desktop appearance or behavior then see the function /mesh_client_startup_applications/ within *src/freedombone-image-customise*.
* How to use it
When you first boot from the USB drive the system will create some encryption keys, assign a unique network address to the system and then reboot itself. When that's done you should see a prompt asking for a username. This username just makes it easy for others to initially find you on the mesh and will appear in the list of users.
After a minute or two if you are within wifi range and there is at least one other user on the network then you should see additional icons appear on the desktop, such as /Other Users/ and /Chat/.
** Set the Date
On the ordinary internet the date and time of your system would be set automatically via NTP. But this is not the internet and so you will need to manually ensure that your date and time settings are correct. You might need to periodically do this if your clock drifts. It's not essential that the time on your system be highly accurate, but if it drifts too far or goes back to epoch then things could become a little confusing in regard to the order of blog posts.
*Right click on the date* in the top right corner of the screen. Select *preferences*, then click the *Time Settings* button. You can then select the date from the calendar and set the time, then click the *Set System Time* button. Enter the default password, which is /freedombone/.
** Check network status
Unlike with ordinary wifi, on the mesh you don't get a signal strength icon and so it's not simple to see if you have a good connection.
Select the wifi icon on the desktop and enter the password '/freedombone/'. The network configuration will go into a monitoring mode and in the bottom right side of the window you will be able to see signal strength and other parameters. This can help you to locate systems or adjust antennas to get the best wifi performance.
#+BEGIN_CENTER
[[file:images/mesh_signal.jpg]]
#+END_CENTER
When you are finished close the window and then select the /Network Restart/ desktop icon, which will restart the B.A.T.M.A.N. network. You can also use the restart icon if you are within range of the mesh network but the /Chat/ and /Other Users/ icons do not automatically appear after a few minutes.
** Chat System
Ensure that you're within wifi range of at least one other mesh peer (could be a router or client) and then you should see that the /Chat/ and /Other Users/ icons appear. Select the users icon and you should see a list of users on the mesh. Select the /Chat/ icon and once you are connected you should see the status light turn green. If after a few minutes you don't get the green status light then try closing and re-opening the Tox chat application. Select the plus button to add a friend and then copy and paste in a Tox ID from the users list.
#+BEGIN_CENTER
[[file:images/mesh_paste_tox_id.jpg]]
#+END_CENTER
The other user can then accept or decline your friend request.
#+BEGIN_CENTER
[[file:images/mesh_friend_request.jpg]]
#+END_CENTER
You can also select an avatar by selecting the grey head and shoulders image.
#+BEGIN_CENTER
[[file:images/mesh_choose_avatar.jpg]]
#+END_CENTER
And by selecting the user from the list on the left hand side the chat can begin.
#+BEGIN_CENTER
[[file:images/mesh_text_chat.jpg]]
#+END_CENTER
One important point is that by default the microphone is turned off. When doing voice chat you can select the microphone volume with the drop down slider in the top right corner of the screen.
At present video doesn't work reliably, but text and voice chat do work well.
** Sharing Files
You can make files publicly available on the network simply by dragging and dropping them into the /Public/ folder on the desktop. To view the files belonging to another user select the desktop icon called /Visit a site/ and enter the username or Tox ID of the other user.
#+BEGIN_CENTER
[[file:images/mesh_share_files.jpg]]
#+END_CENTER
** Blogging
To create a blog post select the /Blog/ icon on the desktop and then use the up and down cursor keys, space bar and enter key to add a new entry. Edit the title of the entry and add your text. You can also include photos if you wish - just copy them to the *CreateBlog/content/images* directory and then link to them as shown.
#+BEGIN_CENTER
[[file:images/mesh_new_blog.jpg]]
#+END_CENTER
To finish your blog entry just select /Save/ and then close the editor. On older hardware it may take a while to publish the results, and this depends upon the amount of computation needed by IPFS to create file hashes. If you make no changes to the default text then the new blog entry will not be saved.
#+BEGIN_CENTER
[[file:images/mesh_new_blog2.jpg]]
#+END_CENTER
#+BEGIN_CENTER
[[file:images/mesh_view_blog.jpg]]
#+END_CENTER
You can also visit other blogs, edit or delete your previous entry and also change your blog theme.
#+BEGIN_CENTER
This site can also be accessed via a Tor browser at http://2tp3f6vtvhkqpuc6.onion
- Collaborative editing of documents and presentations
- Social network stream. Follow/unfollow other peers
- No network administration required
- No servers
- Internet connection is optional
- Works from bootable USB drives or microSD drives
- Data is mesh routed between systems
- Private communications is end-to-end secured and forward secret
- Publicly shared data is /content addressable/
This system should be quite scalable. Both qTox and IPFS are based upon distributed hash tables (DHT) so that each peer does not need to store the full index of data for the entire network. Gossiping between SSB peers may be slower, but the [[https://en.wikipedia.org/wiki/Small-world_network][small world effect]] will presumably still make for quite efficient delivery in a large network. Caching or pinning of IPFS data and its content addressability means that if a file or blog becomes popular then performance should improve as the number of downloads increases, which is the opposite of the client/server paradigm.
If you want to make your own specially branded version, such as for a particular event, then to change the default desktop backgrounds edit the images within *img/backgrounds* and to change the available avatars and desktop icons edit the images within *img/avatars*. Re-create disk images using the instructions shown previously.
If you need particular /dconf/ commands to alter desktop appearance or behavior then see the function /mesh_client_startup_applications/ within *src/freedombone-image-customise*.
There may be situations where you need to write the same disk image to multiple drives at the same time in order to maximize rate of deployment. In the instructions given below the *dd* command is used for writing to the target drive, but to write to multiple drives you can use a tool such as [[https://wiki.gnome.org/Apps/MultiWriter][GNOME MultiWriter]].
For example on Arch/Parabola:
#+begin_src bash
sudo pacman -S gnome-multi-writer
#+end_src
Or on Debian based systems:
#+begin_src bash
sudo apt-get install gnome-multi-writer
#+end_src
The MultiWriter tool is also available within mesh client images, so that you can use mesh systems to create more copies of the same system.
** Client images
#+attr_html: :width 100% :align center
[[file:images/mesh_netbook.jpg]]
"Client" isn't exactly the right term, but it's a mesh peer with a user interface. These images can be copied to a USB drive, then you can plug it into a laptop/netbook/desktop machine and boot from it. You will probably also need an Atheros USB wifi dongle (the black protruding object on the left side of the netbook in the picture above), because most built-in wifi usually requires proprietary firmware. In the commands below substitute /dev/sdX with the USB drive device, excluding any trailing numbers (eg. /dev/sdb). The USB drive you're copying to will need to be at least 16GB in size.
Install some prerequisites:
#+begin_src bash
sudo apt-get install xz-utils nodejs
sudo npm install -g dat
#+end_src
To download images with dat:
#+begin_src bash
dat clone dat://e2ed9767d6ab64f4c43a2adbce65af225133fec7ba95737f0a2f6ae292ba358e/
cd e2ed9767d6ab64f4c43a2adbce65af225133fec7ba95737f0a2f6ae292ba358e
To get a number of systems onto the mesh repeat the /dd/ command to create however many bootable USB drives you need.
If you're in an emergency and don't have Atheros wifi dongles then there is also an "insecure" image which contains some proprietary wifi drivers which may work with a wider range of laptops. Proprietary drivers *are not recommended* because they're unsupportable and may be exploitable or contain malicious antifeatures which fundamentally compromise the security of the network. However, the trade-off between security/maintainability and simply having the ability to communicate at all may be a valid one in some situations.
Install some prerequisites:
#+begin_src bash
sudo apt-get install xz-utils nodejs
sudo npm install -g dat
#+end_src
To download images with dat:
#+begin_src bash
dat clone dat://6d1b73d13b6f9b5c481c6dfd64be6aa58e1cd2d153a6bb04bbc177999ee9925e/
cd 6d1b73d13b6f9b5c481c6dfd64be6aa58e1cd2d153a6bb04bbc177999ee9925e
Routers are intended to build network coverage for an area using small and low cost hardware. You can bolt them to walls or leave them on window ledges. They don't have any user interface and their only job is to haul network traffic across the mesh and to enable peers to find each other via running bootstrap nodes for Tox and IPFS. Copy the image to a microSD card and insert it into the router, plug in an Atheros wifi dongle and power on. That should be all you need to do.
*** Beaglebone Black
#+attr_html: :width 50% :align center
[[file:images/mesh_router.jpg]]
The above picture shows a Beaglebone Black with the image copied onto a microSD card (there's no need to do anything with the internal EMMC). A USB Atheros wifi adaptor with a large antenna is attached and in this case power is from the mains, although it could be from a battery or solar power system capable of supplying 5 volts and maybe 1A (depending upon how active the router is).
Install some prerequisites:
#+begin_src bash
sudo apt-get install xz-utils nodejs
sudo npm install -g dat
#+end_src
To download images with dat:
#+begin_src bash
dat clone dat://a4e79e49c6e77b919d4ae4827037e813ef1ba2734c342d0d78146ce16a819ebb/
cd a4e79e49c6e77b919d4ae4827037e813ef1ba2734c342d0d78146ce16a819ebb
If you have a few Beaglebone Blacks to use as routers then repeat the /dd/ command to create however many microSD cards you need.
There is still a software freedom issue with the Beaglebone Black, but it doesn't prevent you from running a fully free system on the board. The TI AM335X SOC has a PowerVR SGX530 GPU which will only run with a proprietary blob, but this would only be an issue for systems with a monitor or LCD screen attached running a desktop environment which also needs GPU acceleration. For "headless" systems such as servers or mesh routers this isn't a problem.
* Building Disk Images
It's better not to trust images downloaded from random places on the interwebs. Chances are that unless you are in the web of trust of the above GPG signatures then they don't mean very much to you. If you actually want something trustworthy then build the images from scratch. It will take some time. Here's how to do it.
First you will need to create an image. On a Debian based system (tested on Debian Stretch):
#+begin_src bash
sudo apt-get install xz-utils nodejs
sudo npm install -g dat
#+end_src
To download images with dat:
#+begin_src bash
dat clone dat://e9cbf606e55cdaa85199f4e6ec25ff7456775389979a668b3faf33e057493f8e/
cd e9cbf606e55cdaa85199f4e6ec25ff7456775389979a668b3faf33e057493f8e
#+end_src
Check the signature:
#+begin_src bash
gpg --verify freedombone.tar.gz.sig
#+end_src
Install it:
#+begin_src bash
tar -xzvf freedombone.tar.gz
cd freedombone
git checkout stretch
sudo make install
#+end_src
Setup your build environment. If you're using Arch/Parabola substitute /debian/ for /parabola/.
#+begin_src bash
freedombone-image --setup debian
#+end_src
And then build the image:
#+begin_src bash
freedombone-image -t i386 -v meshclient
#+end_src
If you don't have Atheros or free software compatible wifi adapter then you can include proprietary wifi drivers which will work with most laptops. This is *NOT RECOMMENDED* because proprietary drivers are unsupportable and may contain either malware or be exploitable in a way which can't be fixed. However, if you're in an emergency and don't have any Atheros or free software wifi USB dongles then you can use the following command to make the image:
This takes a while. Maybe an hour or so, depending on the speed of your system and the internets. The good news though is that once created you can use the resulting image any number of times, and you don't need to trust some pre-built image.
List what drives are on your system with:
#+begin_src bash
ls /dev/sd*
#+end_src
Now plug in the USB thumb drive, and do the same again. Notice which drive letter gets added.
You can now copy the image to the USB thumb drive, replacing *sdX* with the identifier of the USB thumb drive. Don't include any numbers (so for example use *sdc* instead of *sdc1*).
And wait. Again it will take a while to copy over. When that's done plug it into the laptop or netbook which you want to use on the mesh, power on and set the BIOS to boot from the USB stick.
On first boot you'll be asked to set a username, and then you can open the chat client and select the *users* icon to show the Tox IDs for other users on the mesh. When folks join they will be announced.
Rinse, repeat, for any number of laptops that you want to get onto the mesh or to build out coverage within an area. There are no servers. Just peer-to-peer communications routed through the network which are end-to-end secure after a friend request is accepted. By default the chat client doesn't log anything.
You can also use single board computers (SBCs) such as the BeagleBone Black to make mesh routers which can be bolted to walls or the sides of buildings and consume minimal electrical power, so could be solar or battery powered for short term events such as festivals. To do that use the following command to make the image:
#+begin_src bash
freedombone-image -t beaglebone -v mesh
#+end_src
The resulting image can be copied to a microSD card, inserted into a Beaglebone Black and booted. Don't forget to plug in an Atheros USB wifi dongle.
"/I see mesh networks naturally evolving to become the dominant form of network over the next few decades, because it’s the most practical solution to a number of problems that will have to be solved in order to build the VR web as well as to connect the entire world to the internet. Centralized networks are only possible in highly developed countries with existing infrastructures like power and telephone grids, as well as roads. You can’t build a tower where you don’t have either power or access. For vast areas of the world, mesh networks will be the only feasible solution./" -- Valkyrie Ice
#+end_quote
The Freedombone mesh roughly follows MondoNet's ten social specifications:
* Decentralized
The network should not be operated, maintained, or in any way reliant upon a single or minimally differentiated set of entities or technologies. No individual, entity or group should be central to the network to the extent that their absence would measurably impact its functionality or scope. Network participation should not require access to fixed, physical infrastructure of any sort.
* Universally Accessible
The requisite technology and expertise required to participate in the network should be available at minimal cost and effort to every human being on the planet. Furthermore, all users should be able to extend the network’s content and functionality to suit their own needs, or those of others. No aspect of the network’s functioning should be reliant upon proprietary technologies, information or capital.
* Censor-proof
The network should be resistant to both regulatory and technical attempts to limit the nature of the information shared, restrict usage by given individuals or communities, or render the network, or any portion of it, inoperable or inaccessible.
* Surveillance-proof
The network should enable users to choose exactly what information they share with whom, and to participate anonymously if they so desire. Users should only have access to information if they are the designated recipients, or if it has been published openly.
* Secure
The network should be organized in a way that minimizes the risk of malicious attacks or engineering failure. Information exchanged on the network should meet or exceed the delivery rate and reliability of information exchanged via the Internet.
* Scalable
The network should be organized with the expectation that its scale could reach or even exceed that of today’s Internet. Special care should be taken to address to the challenge of maintaining efficiency without the presence of a centralized backbone.
* Permanent
The network’s density and redundancy should be great enough that, despite its ad hoc nature, it will persistently operate on a broad scale, and be available in full to any user within range of another peer.
* Fast (enough)
The network should always achieve whatever speed is required for a “bottom line” level of social and cultural participation. At present, we assert that the network’s data transfer rate should, at a minimum, be enough for voice-over-IP (VoIP) communications, and low-bitrate streaming video.
* Independent
While the network will have the capacity to exchange information with Internet users and nodes, it should be able to operate independently, as well. A large-scale failure or closure of Internet infrastructure and content should have minimal effect on the network’s operations.
* Evolvable
The network should be built with future development in mind. The platform should be flexible enough to support technologies, protocols and modes of usage that have not yet been developed.
* [[Connecting two meshes over the internet via a VPN tunnel]]
* [[Mobile devices (phones, etc)]]
* [[Chat System]]
* [[Collaborative document editing]]
* [[Social Network]]
* [[Sharing Files]]
* [[Blogging]]
When you first boot from the USB drive the system will create some encryption keys, assign a unique network address to the system and then reboot itself. When that's done you should see a prompt asking for a username. This username just makes it easy for others to initially find you on the mesh and will appear in the list of users.
#+attr_html: :width 100% :align center
[[file:images/mesh_initial_login.jpg]]
After a minute or two if you are within wifi range and there is at least one other user on the network then you should see additional icons appear on the desktop, such as /Other Users/ and /Chat/.
* Boot trouble
If the system doesn't boot and reports an error which includes */dev/mapper/loop0p1* then reboot with *Ctrl-Alt-Del* and when you see the grub menu press *e* and manually change */dev/mapper/loop0p1* to */dev/sdb1*, then press *Ctrl-x*. If that doesn't work then reboot and try */dev/sdc1* instead.
After the system has booted successfully the problem should resolve itself on subsequent reboots.
* Set the Date
On the ordinary internet the date and time of your system would be set automatically via NTP. But this is not the internet and so you will need to manually ensure that your date and time settings are correct. You might need to periodically do this if your clock drifts. It's not essential that the time on your system be highly accurate, but if it drifts too far or goes back to epoch then things could become a little confusing in regard to the order of blog posts.
*Right click on the date* in the top right corner of the screen. Select *preferences*, then click the *Time Settings* button. You can then select the date from the calendar and set the time, then click the *Set System Time* button. Enter the default password, which is /freedombone/.
* Check network status
Unlike with ordinary wifi, on the mesh you don't get a signal strength icon and so it's not simple to see if you have a good connection.
Select the wifi icon on the desktop and enter the password '/freedombone/'. The network configuration will go into a monitoring mode and in the bottom right side of the window you will be able to see signal strength and other parameters. This can help you to locate systems or adjust antennas to get the best wifi performance.
#+attr_html: :width 70% :align center
[[file:images/mesh_signal.jpg]]
When you are finished close the window and then select the /Network Restart/ desktop icon, which will restart the B.A.T.M.A.N. network. You can also use the restart icon if you are within range of the mesh network but the /Chat/ and /Other Users/ icons do not automatically appear after a few minutes.
* Connecting to the internet
#+attr_html: :width 100% :align center
[[file:images/mesh_architecture2.jpg]]
If you need to be able to access the internet from the mesh then connect one of the peers to an internet router using an ethernet cable (shown as yellow above), then reboot it. Other peers in the mesh, including any attached mobile devices, will then be able to access the internet using the ethernet attached peer as a gateway. [[https://en.wikipedia.org/wiki/Freifunk][Freifunk]] works in a similar way.
After connecting one peer to the internet you may need to reboot other peers in order to update their network configurations.
If for legal reasons you need to connect to the internet via a VPN then openvpn is preinstalled and you can run the command:
#+begin_src bash
sudo openvpn myclient.ovpn
#+end_src
Where /myclient.ovpn/ comes from your VPN provider and with the password "/freedombone/".
* Connecting two meshes over the internet via a VPN tunnel
#+attr_html: :width 100% :align center
[[file:images/mesh_architecture_vpn.jpg]]
Maybe the internet exists, but you don't care about getting any content from it and just want to use it as a way to connect mesh networks from different geographical locations together.
In your home directory on a system connected via ethernet to an internet router you'll find a file called *vpn.tar.gz*. If you want another mesh to be able to connect to yours then send them this file and get them to uncompress it into their home directory also on an internet gateway machine. If they have an external IP address or domain name for your router then they will be able to VPN connect using the *Connect Meshes* icon. They should also forward port 653 from their internet router to the mesh gateway machine.
#+attr_html: :width 80% :align center
[[file:images/mesh_connect.png]]
You should create a new *vpn.tar.gz* file for every other mesh which wants to be able to connect to yours. If you are prompted for a password it is 'freedombone'.
From a deep packet inspection point of view the traffic going over the internet between mesh gateways will just look like any other TLS connection to a server.
* Mobile devices (phones, etc)
#+attr_html: :width 100% :align center
[[file:images/mesh_architecture3.jpg]]
To allow mobile devices to connect to the mesh you will need a second wifi adapter connected to your laptop/netbook/SBC. Plug in a second wifi adapter then reboot the system. The second adaptor will then create a wifi hotspot (the connection shown in green above) which mobile devices can connect to. The hotspot name also contains its local IP address (eg. "/mesh-192.168.1.83/").
On a typical Android device go to *Settings* then *Security* and ensure that *Unknown sources* is enabled. Also within *Wifi* from the *Settings* screen select the mesh hotspot. The password is "/freedombone/". Open a non-Tor browser and navigate to the IP address showing in the hotspot name. You can then download and install mesh apps.
#+attr_html: :width 50% :align center
[[file:images/mesh_mobileapps.jpg]]
On some android devices you may need to move the downloaded APK file from the *Downloads* directory to your *home* directory before you can install it.
* Chat System
Ensure that you're within wifi range of at least one other mesh peer (could be a router or client) and then you should see that the /Chat/ and /Other Users/ icons appear. Select the users icon and you should see a list of users on the mesh.
#+attr_html: :width 50% :align center
[[file:images/mesh_peerslist.png]]
Selecting a user followed by the Ok button will copy their Tox ID to the clipboard.
Now select the /Chat/ icon and once you are connected you should see the status light turn green. If after a few minutes you don't get the green status light then try closing and re-opening the Tox chat application. Select the plus button to add a friend and then paste in a Tox ID.
#+attr_html: :width 80% :align center
[[file:images/mesh_paste_tox_id.jpg]]
The other user can then accept or decline your friend request.
#+attr_html: :width 80% :align center
[[file:images/mesh_friend_request.jpg]]
You can also select an avatar by selecting the grey head and shoulders image.
#+attr_html: :width 100% :align center
[[file:images/mesh_choose_avatar.jpg]]
And by selecting the user from the list on the left hand side the chat can begin.
#+attr_html: :width 100% :align center
[[file:images/mesh_text_chat.jpg]]
One important point is that by default the microphone is turned off. When doing voice chat you can select the microphone volume with the drop down slider in the top right corner of the screen.
At present video doesn't work reliably, but text and voice chat do work well.
* Collaborative document editing
The mesh system includes the ability to collaboratively edit various sorts of documents using CryptPad. CryptPad is an almost peer-to-peer system in that it is designed for a client/server environment but that the server aspect of it is very minimal and limited to orchestrating the connected clients. With CryptPad installed on each mesh peer it effectively enables peer-to-peer collaborative editing. Documents are ephemeral and forgotten unless they're exported or copy-pasted to permanent storage.
#+attr_html: :width 100% :align center
[[file:images/mesh_cryptpad1.jpg]]
To create a document click on the CryptPad icon. Depending upon the specifications of your system it may take a few seconds to load, so don't be too disturned if the browser contents look blank for a while. Select _Rich Text Pad_ and give yourself a username.
#+attr_html: :width 100% :align center
[[file:images/mesh_cryptpad2.jpg]]
If you have the chat system running you can then copy and paste the URL for your pad into the chat, and the other user can then open the link and edit the document with you. You can repeat that for however many other users you wish to be able to edit.
* Social Network
Patchwork is available as a social networking system for the mesh. Like all social network systems it has a stream of posts and you can follow or unfollow other users. You can also send private messages to other users with end-to-end encryption.
Double click on the "Social" icon to open the app, then add your nickname and optionally a description. If you want to choose an avatar image some can be found within the directory */usr/share/freedombone/avatars*. On older systems or systems without a hardware random number generator, Patchwork sometimes takes a long time (a few minutes) to open for the first time after clicking the icon. This is most likely due to the initial generation of encryption keys, so be patient.
#+attr_html: :width 80% :align center
[[file:images/patchwork_setup.jpg]]
Other Patchwork users on the mesh will appear automatically under the *local* list and you can select and follow them if you wish. It's also possible to select the dark theme from *settings* on the drop down menu if you prefer.
#+attr_html: :width 80% :align center
[[file:images/patchwork_public.jpg]]
The Secure Scuttlebutt protocol which Patchwork is based upon is intended to be robust to intermittent network connectivity, so you can write posts when out of range and they will sync once you are back in the network.
* Sharing Files
You can make files publicly available on the network simply by dragging and dropping them into the /Public/ folder on the desktop. To view the files belonging to another user select the desktop icon called /Visit a site/ and enter the username or Tox ID of the other user.
#+attr_html: :width 80% :align center
[[file:images/mesh_share_files.jpg]]
* Blogging
To create a blog post select the /Blog/ icon on the desktop and then select *New blog entry* and *Ok*. Edit the title of the entry and add your text. You can also include photos if you wish - just copy them to the *CreateBlog/content/images* directory and then link to them as shown.
#+attr_html: :width 50% :align center
[[file:images/mesh_blog.png]]
To finish your blog entry just select /Save/ and then close the editor. On older hardware it may take a while to publish the results, and this depends upon the amount of computation needed by IPFS to create file hashes. If you make no changes to the default text then the new blog entry will not be saved.
#+attr_html: :width 80% :align center
[[file:images/mesh_new_blog2.jpg]]
#+attr_html: :width 80% :align center
[[file:images/mesh_view_blog.jpg]]
You can also visit other blogs, edit or delete your previous entry and change your blog theme.
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
| [[Do mirrors include debian package repositories?]] |
| [[What do I need to do to keep the mirrored repositories updated?]] |
* What are mirrors and why do they exist?
It would be nice if all of the applications used by this project were packaged for Debian, but currently they're not. This means that various upstream git repositories are used and these mostly reside on Github. What if Github were to go away, become paying only or be censored in some manner which was difficult to work around? To guard against this possibility the repositories are mirrored on each install and can then be made available to other users so that new installations or updates could still occur without the original default repos.
* What security do mirrors have?
On each install you have a /mirrors/ user created, whose only purpose is to mirror upstream repositories. A random password is generated for the /mirrors/ user which can be seen within the control panel and so given to other users who may need it.
* How do I set up mirrors?
The interactive installer will ask whether you want to configure the main respositories. Enter the URL, which will typically be an onion address, the ssh port number and the password for the mirrors on that system.
* Do mirrors include debian package repositories?
No. Packages for Debian will still be accessed in the conventional manner.
* Can I change mirrors after the system has been installed
Yes. From the control panel select "/Set the main repository/"
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
Mobile phones are insecure devices, but they're regarded as being so essential to modern life that telling people not to use them isn't a viable option. Here are some recommendations on setting up a mobile phone (aka "smartphone") to work with Freedombone.
#+BEGIN_EXPORT html
<center>
<table style="width:80%; border:0">
<tr>
<td><center><b><h3>Open</h3></b><br>Use a free and open source operating system. Open means more trustworthy</center></td>
<td><center><b><h3>Remove</h3></b><br>If there are any proprietary apps then remove or deactivete them</center></td>
<td><center><b><h3>Encrypt</h3></b><br>Make sure your phone is encrypted with a password which isn't easy to guess</center></td>
</tr>
<tr>
<td><center><b><h3>Apps</h3></b><br>Use F-droid to install new apps</center></td>
<td><center><b><h3>Lock</h3></b><br>Enable a lock screen with a maximum number of password guesses</center></td>
<td><center><b><h3>Onion</h3></b><br>Onion route your connections to avoid bulk metadata collection</center></td>
</tr>
<tr>
<td><center><b><h3>ssh</h3></b><br>Set up ssh access to Freedombone</center></td>
<td><center><b><h3>Services</h3></b><br>Connect to the Freedombone services</center></td>
Use a Linux based phone operating system. Typically this will mean Android, but could also mean Cyanogenmod or Replicant. Cyanogen is the most preferable, because you can usually get an up to date image with a recent kernel which will give you better security against exploits. If you're buying a phone then look for a model which is supported by Cyanogenmod. Replicant is the most free (as in freedom) but only runs on a small number of phone models. If you have a phone which runs a full GNU/Linux system then that's fantastic, and you can probably use it in much the same way as a desktop system and the rest of the advice on this page won't apply. If you don't have a phone capable of running a Linux based operating system then consider selling, giving away or bartering your existing one.
Use a Linux based phone operating system. Typically this will mean Android, but could also mean LineageOS or Replicant. LineageOS is the most preferable, because you can usually get an up to date image with a recent kernel which will give you better security against exploits. If you're buying a phone then look for a model which is supported by LineageOS. Replicant is the most free (as in freedom) but only runs on a small number of phone models. If you have a phone which runs a full GNU/Linux system then that's fantastic, and you can probably use it in much the same way as a desktop system and the rest of the advice on this page won't apply. If you don't have a phone capable of running a Linux based operating system then consider selling, giving away or bartering your existing one.
Why is it so important to run Linux on a phone? Aren't /iThings/ supposed to be highly secure? Isn't the CEO of Apple a good guy, fighting for freedom against the evil Feds? In the end it comes down to the fact that /if the source code for the device cannot be independently audited to check for backdoors, bugs and so on, then it can't actually be trusted/. No matter how well-meaning or brave people running companies may be, local laws may force them to add backdoors into their systems or to give away the encryption keys (Lavabit) or they may also do that purely for business reasons such as being able to sell you to their advertising customers and so on.
Why is it so important to run Linux on a phone? Aren't /iThings/ supposed to be highly secure? Don't the "experts" always tell you to just use an iPhone with its supposedly superior secure enclave? Isn't the CEO of Apple a good guy, fighting for freedom against the evil Feds?
In the end it comes down to the fact that /if the source code for the device cannot be independently audited to check for backdoors, bugs and so on, then it can't actually be trusted/. It doesn't matter if there's a supposedly secure enclave on your closed source gadget. No matter how well-meaning or brave people running companies may be, local laws may force them to add backdoors into their systems (sometimes called "technical capabilities order" or "lawful interception") or to give away the encryption keys (Lavabit) or they may also do that purely for business reasons such as being able to sell you to their advertising customers and so on.
* Remove
@ -57,6 +30,8 @@ Encrypt your phone. This can usually be done via *Settings/Security* and you may
Installing *F-droid* and only adding any new apps via F-droid will ensure that you are always using free and open source software. Open source is not a panacea, since bugs can and do still occur, but it will help you to avoid the worst security and privacy pitfalls.
Avoid using the Open Whisper Systems Signal app if you can, no matter what "experts" say about it. There are multiple reasons for this which you can find in the [[./faq.html][FAQ]].
* Lock
Add a lock screen, preferably with a password which is not easy for other people to guess or for quicker access with a PIN number. Install an app called *Locker*, activate it and set the maximum number of password guesses to ten (or whatever you feel comfortable with). If bad people get hold of your phone then they may try to brute force your lock screen password or PIN (i.e. automatically trying millions of common word and number combinations) and the locker app will prevent them from succeeding by resetting the phone back to its factory default condition and wiping the data.
@ -67,22 +42,78 @@ Both governments and corporations want to compile matadata dossiers about you. W
In F-droid under the *repositories* menu you can enable the *guardian project*, and then install *Orbot*. Within subsequently installed apps, such as those for XMPP chat, there is often a setting which allows the connection to then be routed through Tor. Also you can install *OrFox* and use that as your default browser. Within OrFox for the sites you regularly use you can add a NoScript exception via the menu.
* ssh
The most secure way to access email is via an ssh connection and shell interface. This is not highly convenient, but it does keep your email and GPG key off of the phone which improves your security. If your phone is subsequently stolen then even if an adversary can get past the lock screen /there are no emails stored on the phone/. Install *Connectbot*, generate an RSA key of at least 2048 bits and give it a password. Copy and paste the ssh public key to a pastebin and then add it to /home/myusername/.ssh/authorized keys on Freedombone. Then add an ssh account for the Freedombone, using port 2222. Before you log in you will need to ensure that the ssh key is unlocked. If you lose your phone then you can remove that public key from /authorized_keys/ and anyone in possession of the phone will no longer be able to get ssh access to your system.
This is a /defense in depth/ approach in which there are multiple hurdles which any adversary must overcome in order to get access to your data in a typical theft scenario. So you have the phone encryption, the lock screen with maximum tries and the ssh key password.
* Email
The easiest way to access email is by installing the [[./app_mailpile.html][Mailpile]] app. This keeps your GPG keys off of possibly insecure mobile devices but still enables encrypted email communications in an easy way. You can use K9 mail if you prefer, but that will require installing OpenKeychain and having your GPG keys on the device, which is a lot more risky.
* Services
For information on configuring various apps to work with Freedombone see the [[file:./usage.html][usage section]]. Also see advice on chat apps in the [[file:./faq.html][FAQ]].
For information on configuring various apps to work with Freedombone see the [[file:./apps.html][apps section]]. Also see advice on chat apps in the [[file:./faq.html][FAQ]].
* Battery preservation
* Battery
Even with free software apps it's not difficult to get into a situation where your battery doesn't last for long. To maximize battery life access RSS feeds via the onion-based mobile reader within a Tor-compatible browser and not from a locally installed RSS app.
If you have Syncthing installed then change the settings so that it only syncs when charging and when on wifi. Avoid any apps which might be continuously polling and preventing the device from going into sleep mode when it's not used.
If you're using the Riot mobile app to access a Matrix homeserver then you can significantly improve battery performance by going to the settings and changing *Sync request timeout* to 30 seconds and *Delay between two sync requests* to 600 seconds.
It's also recommended to disable battery optimisations for Conversations and Orbot. If you don't do that then you may have trouble receiving messages or some parts of the protocol may break. That can be done by going to *Settings*, selecting *Battery* then opening the menu (top right) and selecting *Battery optimisations* then selecting *Not optimised* and *All apps*, then finally choosing Conversations and Orbot not to be optimised.
* Blocking bad domains
You can block known bad domains by editing the */system/etc/hosts* file on your device. It is possible to use extensive ad-blocking hosts files used by other ad-blocking systems such as pi-hole, but merely blocking Facebook and Google Analytics will protect you against much of the corporate surveillance which goes on. Even if you don't have a Facebook account this may still be useful since they will still try to create a "ghost profile" of you, so the less data they have the better.
On the device enable *Developer Options* by going to *Settings* then *About* then pressing on *Build number* a few times.
Go to *Settings* then *Developer Options* then set *Root access* to *ADB only* and enable *Android debugging*.
On your system (not the device) install the *android-tools* package. For example, on Arch/Parabola:
#+begin_src bash
sudo pacman -S android-tools
#+end_src
Connect the device to your system via a USB cable, then:
#+begin_src bash
adb root
adb remount
adb pull /system/etc/hosts
#+end_src
Now edit the hosts file which was pulled and append:
#+begin_src bash
127.0.0.1 www.facebook.com
127.0.0.1 facebook.com
127.0.0.1 static.ak.fbcdn.net
127.0.0.1 www.static.ak.fbcdn.net
127.0.0.1 login.facebook.com
127.0.0.1 www.login.facebook.com
127.0.0.1 fbcdn.net
127.0.0.1 www.fbcdn.net
127.0.0.1 fbcdn.com
127.0.0.1 www.fbcdn.com
127.0.0.1 static.ak.connect.facebook.com
127.0.0.1 www.static.ak.connect.facebook.com
127.0.0.1 www.google-analytics.com
127.0.0.1 google-analytics.com
127.0.0.1 ssl.google-analytics.com
127.0.0.1 telemetry.mozilla.org
127.0.0.1 incoming.telemetry.mozilla.org
#+end_src
Then upload the hosts file back again with:
#+begin_src bash
adb push hosts /system/etc/hosts
#+end_src
Once that's done you may want to set *Root access* on the device back to *Disabled* and turn *Android debugging* off.
* Building an internet run by the users, for the users
The internet may still be mostly in the clutches of a few giant megacorporations and dubious governments with sketchy agendas, but it doesn't have to remain that way. With the third version of the Freedombone system there is now more scope than before to take back your privacy, have ownership of personal data and run your own online communities without undesirable intermediaries.
Freedombone version 3 is based on Debian 9 (Stretch). It was released in July 2017 and includes:
* Faster initial setup
* More [[./apps.html][installable apps]], including CryptPad, Koel, NextCloud, PostActiv, Friendica and Matrix/RiotWeb
* Improved XMPP configuration for support of the [[https://conversations.im][Conversations]] app features
* Improved blocking controls for a better federated network experience
* Uses [[https://en.wikipedia.org/wiki/EdDSA][elliptic curve]] based GPG keys for better performance on low power single board computers
* Pre-downloaded repos distributed within images for faster and more autonomous app installs
* Installation
The simplest way to install is from a pre-made disk image. Images can be [[https://freedombone.net/downloads/v3][downloaded here]]. You will need to have previously obtained a domain name and have a dynamic DNS account somewhere.
Copy the image to a microSD card or USB thumb drive, replacing sdX with the identifier of the USB thumb drive. Don't include any numbers (so for example use sdc instead of sdc1).
And wait. It will take a while to copy over. When that's done you might want to increase the partition size on the drive, using a tool such as [[http://gparted.org][Gparted]]. Whether you need to do that will depend upon how many apps you intend to install and how much data they will store.
Plug the microSD or USB drive into the target hardware which you want to use as a server and power on. If you're using an old laptop or netbook as the server then you will need to set the BIOS to boot from USB.
As the system boots for the first time the login is:
#+BEGIN_SRC bash
username: fbone
password: freedombone
#+END_SRC
If you're installing from a microSD card on a single board computer without a screen and keyboard attached then you can ssh into it with:
#+BEGIN_SRC bash
ssh fbone@freedombone.local -p 2222
#+END_SRC
Using the initial password "freedombone". If you have trouble accessing the server then make sure you have Avahi installed and [[https://en.wikipedia.org/wiki/Multicast_DNS][mDNS]] enabled.
You will then be shown a new randomly generated password. It's very important that you write this down somewhere or transfer it to a password manager before going further, because you'll need this to log in later.
More detailed installation instructions are linked from [[./index.html][the main site]].
* Upgrading from a previous install
To upgrade from the Debian Jessie version first create a master keydrive. Go to the *Administrator control panel* and select *Backup and restore* then *Backup GPG key to USB (master keydrive)*. Insert a LUKS encrypted USB drive. When that is done Create a full backup by selecting *Backup data to USB drive* and using another LUKS encrypted USB drive.
Follow the installation infstructions for the new Freedombone version, as described in the previous section. When the new system starts installing it will ask if you want to restore your GPG keys. Select *yes* and plug in your master keydrive.
When the initial setup is complete go to the *Administrator control panel* and select *Backup and restore* then *Restore data from USB drive* followed by *all*. Insert the backup USB drive which you made previously. This will restore the base system, including any emails.
You can now go to *Add/Remove apps* on the *Administrator control panel* and add the apps you want. Once they're installed you can recover their content and settings from *Backup and Restore*.
Newer and shinier than before, [[./index.html][Freedombone]] 3.1 rests upon the solid foundation of Debian stable and delivers major new self-hosted apps, improved mesh networking and a new logo. It supports version 3 onion addresses and the ability to use [[./usage_email.html][email with onion and I2P addresses]]. New apps are:
* [[./app_akaunting.html][Akaunting]]: Personal or small business accounts
* [[./app_bdsmail.html][bdsmail]]: Avoid PGP complexity by using email over I2P
* [[./app_edith.html][Edith]]: The simplest possible note taking system
* [[./app_icecast.html][Icecast]]: Run your own internet radio station
* [[./app_peertube.html][PeerTube]]: Peer-to-peer video hosting system
* [[./app_pleroma.html][Pleroma]]: Ultra lightweight fediverse instance with Mastodon compatibility
The [[./mesh.html][mesh version]] now supports BMX6, OLSR2 and Babel routing protocols on layer 3 and so is protocol compatible with [[https://libremesh.org][LibreMesh]]. It also now runs on pure IPv6 and has built in video editor and CryptPad integration for networked collaboration even during times when the internet is not available.
There is a new [[./socialinstance.html][social instance]] image build option, if you want to be able to rapidly deploy fediverse instances, and a [[./devguide.html][template command]] for quickly adding new apps to the system which automates a lot of the boilerplate.
According to some narratives the open web is dying with the silo companies comprising 80% of web traffic and what remains being pushed into an increasingly marginal corner. But at the same time these colonial occupiers have come under renewed [[https://www.wired.co.uk/article/open-letter-mark-zuckerberg-congress][public criticism]] as they continue to abuse their monopoly powers in ever more egregious ways. 2017 seemed to be a turning point in attitudes towards Silicon Valley generally and there is room for a new kind of movement to get started which is about reclaiming the internet for the common good.
This is where we make our stand. If the internet falls then so too does freedom.
The future is decentralized.
* Installation
The simplest way to install is from a pre-made disk image. Images can be [[https://freedombone.net/downloads/v31][downloaded here]]. You will need to have previously obtained a domain name and have a dynamic DNS account somewhere. Or if you don't need clearnet domains and will be using Tor compatible browsers then you can use the "onion only" images where apps will be accessible via an onion address.
Copy the image to a microSD card or USB thumb drive, replacing sdX with the identifier of the USB thumb drive. Don't include any numbers (so for example use sdc instead of sdc1).
And wait. It will take a while to copy over. When that's done you might want to increase the partition size on the drive, using a tool such as [[http://gparted.org][Gparted]]. Whether you need to do that will depend upon how many apps you intend to install and how much data they will store.
Plug the microSD or USB drive into the target hardware which you want to use as a server and power on. If you're using an old laptop or netbook as the server then you will need to set the BIOS to boot from USB.
As the system boots for the first time the login is:
#+BEGIN_SRC bash
username: fbone
password: freedombone
#+END_SRC
If you're installing from a microSD card on a single board computer without a screen and keyboard attached then you can ssh into it with:
#+BEGIN_SRC bash
ssh fbone@freedombone.local -p 2222
#+END_SRC
Using the initial password "freedombone". If you have trouble accessing the server then make sure you have Avahi installed and [[https://en.wikipedia.org/wiki/Multicast_DNS][mDNS]] enabled.
You will then be shown a new randomly generated password. It's very important that you write this down somewhere or transfer it to a password manager before going further, because you'll need this to log in later.
More detailed installation instructions are linked from [[./installmethods.html][the main site]].
* Upgrading from a previous install
To upgrade from version 3 just go to the *administrator control panel* and select *check for updates*.
It's a lot more secure to log in to the Freedombone system using ssh keys rather than with a password. You can set that up by first running:
#+begin_src bash
freedombone-client
#+end_src
On your local system (i.e. whatever you're logging in to the Freedombone system from, typically a laptop). Then:
#+begin_src
ssh myusername@freedombone.local -p 2222
#+end_src
Select *Administrator controls* and re-enter your password, then *Manage Users* and *Change user ssh public key*. Copy and paste the ssh public keys which appeared after the *freedombone-client* command was run. Then go to *Security settings* and select *Allow ssh login with passwords* followed by *no*.
You'll need to make sure that you have a copy of the ~/.ssh directory on your local system. You could just copy that directory to a USB drive and then keep that somewhere safe so that you can restore the keys if you need to.
* Administrating the system via an onion address (Tor)
You can also access your system via the Tor system using an onion address. To find out what the onion address for ssh access is you can do the following:
#+BEGIN_SRC bash
ssh username@freedombone.local -p 2222
#+END_SRC
Select /Administrator controls/ then select "About this system" and look for the onion address for ssh. You can then close the terminal and open another, then do the following on your local system:
#+BEGIN_SRC bash
freedombone-client
#+END_SRC
This will set up your ssh environment to be able to handle onion addresses. Then you can test ssh with:
#+BEGIN_SRC bash
ssh username@address.onion -p 2222
#+END_SRC
Subsequently even if dynamic DNS isn't working you may still be able to administer your system. Using the onion address also gives you some degree of protection against corporate or government metadata analysis, since it becomes more difficult to passively detect which systems are communicating.
A social instance image allows you to easily set up a fediverse server, which federates using the OStatus or ActivityPub protocol. You will need:
* An old laptop, capable of booting from USB
* A USB drive, preferably Sandisk and 16GB or larger
* An ethernet patch cable
* A domain name of your own
* A dynamic DNS account
* Ability to alter settings on your internet router
The installation process is the same as usual, with the only difference being that on initial setup it will go straight to the domain setup details for your instance. In summary:
* Copy the image to the USB drive
Substitute *sdX* with the device name for your USB drive.
#+begin_src bash
sudo apt-get install xz-utils nodejs
npm install -g dat
dat clone dat://231b24dbeef3c3f7b115b9c7cd02e416b382df0a1050ef66f94b988fc8dae92e/
cd 231b24dbeef3c3f7b115b9c7cd02e416b382df0a1050ef66f94b988fc8dae92e
Also note that if the laptop has a removable SSD drive it's possible to copy the image directly to that if you have enough equipment.
* Connect the laptop to your internet router
Plug the USB drive into the laptop and connect it to your internet router with the ethernet cable.
#+attr_html: :width 100% :align center
[[file:images/laptop_router.jpg]]
* Boot the laptop from the USB drive
You may need to alter the BIOS settings to get this to work reliably.
#+attr_html: :width 100% :align center
[[file:images/bios_boot_usb.jpg]]
* Forward ports 80 (HTTP) and 443 (HTTPS) from your internet router to the laptop
Log into your internet router using a non-Tor browser (usually it's on an address like 192.168.1.1 or 192.168.1.254). Often port forwarding settings are together with firewall settings.
#+attr_html: :width 100% :align center
[[file:images/port_forwarding.png]]
* From another machine ssh into the laptop
#+begin_src bash
ssh fbone@freedombone.local -p 2222
#+END_SRC
Or alternatively you can log in directly on the laptop. The initial username is *fbone* and the password is *freedombone*. You should make sure you write down or copy the new password when it is shown.
* Follow the setup procedure
Enter your user details, domain name and dynamic DNS settings.
* When installation is complete
Navigate to your domain and register a new user.
#+attr_html: :width 100% :align center
[[file:images/pleroma_register.jpg]]
More details about setting up and using Pleroma [[./app_pleroma.html][can be found here]].
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
#+KEYWORDS: freedombone, support
#+DESCRIPTION: How to support the Freedombone project
@ -45,22 +61,20 @@ Testing of the install on different hardware. Also pentesting on test installati
** Web design and artwork
A better design for this website would be nice to have. Photos, icons or other artwork are all welcome. I've always liked the cartoon artwork of the [[https://www.mediagoblin.org/][Mediagoblin]] project, and attractive graphics can help to get people initially interested.
** Howto videos
If you're good at making videos then a howto for installing Freedombone onto various types of hardware, or testing the mesh system in realistic/exotic scenarios would be good. You could even host videos on PeerTube or Mediagoblin.
** More education and promotion
#+BEGIN_CENTER
#+attr_html: :width 50% :align center
[[./images/educate.png]]
#+END_CENTER
Many people are unaware that running their own internet services /is even a possibility/. Many also believe that internet services can be provided only if they're supported by advertising or donations, and that only gigantic data centres have enough computing capacity to serve web pages on a worldwide scale. Others may be fearful of encryption due to misrepresentations or misunderstandings of it in the mainstream media. Some may be intimidated by the apparent complexity and think that you need to be some sort of silicon valley genius in order to run a web service on your own. Even many technically-minded folks often believe that they can't run a home server unless they have a static IP address, which isn't true, and others are put off by thinking that any such server will be immediately [[https://en.wikipedia.org/wiki/Pwn][pwned]] by blackhat hackers.
Raising awareness beyond the near zero current level, overcoming fear and paranoia and dispelling some of the prevalent myths will definitely help.
** Translations
To add translations modify the json files within the *locale* subdirectory. Then make a pull request on the [[https://github.com/bashrc/freedombone][Github site]].
To add translations modify the json files within the *locale* subdirectory. Then make a pull request on [[https://code.freedombone.net/bashrc/freedombone][code.freedombone.net]] or send patches via email to bob@freedombone.net.
** Packaging
Helping to package GNU Social and Hubzilla for Debian would be beneficial.
It's a lot more secure to log in to the Freedombone system using ssh keys rather than with a password. You can set that up by first running:
#+begin_src bash
freedombone-client
#+end_src
On your local system (i.e. whatever you're logging in to the Freedombone system from, typically a laptop). Then:
#+begin_src
ssh myusername@freedombone.local -p 2222
#+end_src
Select *Administrator controls* and re-enter your password, then *Manage Users* and *Change user ssh public key*. Copy and paste the ssh public keys which appeared after the *freedombone-client* command was run. Then go to *Security settings* and select *Allow ssh login with passwords* followed by *no*.
You'll need to make sure that you have a copy of the ~/.ssh directory on your local system. You could just copy that directory to a USB drive and then keep that somewhere safe so that you can restore the keys if you need to.
* Administrating the system via an onion address (Tor)
You can also access your system via the Tor system using an onion address. To find out what the onion address for ssh access is you can do the following:
#+BEGIN_SRC bash
ssh username@freedombone.local -p 2222
#+END_SRC
Select /Administrator controls/ then select "About this system" and look for the onion address for ssh. You can then close the terminal and open another, then do the following on your local system:
#+BEGIN_SRC bash
freedombone-client
#+END_SRC
This will set up your ssh environment to be able to handle onion addresses. Then you can test ssh with:
#+BEGIN_SRC bash
ssh username@address.onion -p 2222
#+END_SRC
Subsequently even if dynamic DNS isn't working you may still be able to administer your system. Using the onion address also gives you some degree of protection against corporate or government metadata analysis, since it becomes more difficult to passively detect which systems are communicating.
* Adding or removing users
Log into the system with:
#+BEGIN_SRC bash
ssh username@domainname -p 2222
#+END_SRC
Select *Administrator controls* then *User Management*. Depending upon the type of installation after selecting administrator controls you might need to enter:
| [[A technical note about email transport security]] |
@ -22,11 +15,11 @@
| [[Publishing your GPG public key]] |
| [[Mutt email client]] |
| [[Thunderbird/Icedove]] |
| [[K9 Android client]] |
| [[Android apps]] |
| [[Subscribing to mailing lists]] |
| [[Adding email addresses to a group/folder]] |
| [[Ignoring incoming emails]] |
| [[Your own mailing list]] |
| [[Using I2P for email transport]] |
* Things to be aware of
Even though this system makes it easy to set up an email server, running your own email system is still not easy and this is mainly due to the huge amount of collatoral damage caused by spammers over a long period of time, which in turn is due to the inherent insecurity of email protocols which enabled spam to become a big problem. Email is still very popular though and most internet services require that you have an email address in order to register.
@ -40,8 +33,10 @@ Port 465 is used for SMTP and this is supposedly deprecated for secure email. Ho
From https://motherboard.vice.com/read/email-encryption-is-broken:
#+BEGIN_QUOTE
The researchers also uncovered mass scale attacks of STARTTLS sessions being stripped of their encryption. That attack itself isn't new: internet service providers sometimes do it to monitor users; organizations may use it to keep an eye on employees; or it may come from a malicious actor
/The researchers also uncovered mass scale attacks of STARTTLS sessions being stripped of their encryption. That attack itself isn't new: internet service providers sometimes do it to monitor users; organizations may use it to keep an eye on employees; or it may come from a malicious actor/
#+END_QUOTE
A way to avoid these pitfalls altogether is to use onion addresses (see the section below) or [[./app_bdsmail.html][I2P addresses]] for email. These are not so convenient because they use long random strings which aren't memorable as addresses, but they do give a strong assurance that whoever recieves the message is the intended recipient and that emails can't be read passively during their transport across the internet.
* Add a password to your GPG key
If you didn't use existing GPG keys during the Freedombone installation then you'll need to add a password to your newly generated private key. This is highly recommended. Go through the following sequence of commands to ssh into the Freedombone and then change your GPG password.
Mutt is a terminal based email client which comes already installed onto the Freedombone. To access it you'll need to access it via ssh with:
@ -202,232 +195,8 @@ By default you won't be able to see any folders which you may have created earli
Make sure that "*show only subscribed folders*" is not checked. Then click the *ok* buttons. Folders will be re-scanned, which may take some time depending upon how much email you have, but your folders will then appear.
* K9 Android client
*** A point about GPG on Android
Before trying to set up email on Android you may want to consider whether you really need to do this. Android (and its variants) is not a particularly secure operating system and whether or not you wish to store GPG keys on it depends on your threat model and in what situations you'll be using your device.
If you are going to use email on an Android device then ensure that you have full encryption enabled via the security settings, so that if you subsequently lose it, or if it gets stolen, the chances of encryption keys being exposed are minimised.
*** Compiling the development version
To get K9 working with Freedombone you'll need to install development versions of OpenKeychain and K9. At the time of writing the versions available in F-Droid do not support PGP/MIME or the "hidden recipient" feature of GPG. It is hoped that at some stage the patches will be integrated into the mainline or functionally equivalent changes made. Admittedly, this is not at all user friendly, but currently it's the only way to read Freedombone email on Android systems.
Then on your device select OpenKeychain and import your key from file.
*** Incoming server settings
* Select settings/account settings
* Select Fetching mail/incoming server
* Enter your username and password
* IMAP server should be your domain name
* Security: SSL/TLS (always)
* Authentication: Plain
* Port: 993
*** Outgoing (SMTP) server settings
* Select settings/account settings
* Select Sending mail/outgoing server
* Set SMTP server to your domain name
* Set Security to SSL/TLS (always)
* Set port to 465
* Set authentication to PLAIN
* Enter your username and password
* Accept the SSL certificate
*** Crypto settings
Select *settings*, *Account settings*, *OpenKeychain* and then select your key and press *Allow*. You should now be able to decrypt emails by entering your GPG passphrase.
You may also want to change the amount of time for which passwords are remembered, so that you don't need to enter your passphrase very often.
*** Folders
To view any new folders which you may have created using the /mailinglistrule/ script from your inbox press the *K9 icon* at the top left to access folders, then press the *menu button* and select *refresh folder list*.
If your folder still doesn't show up then press the *menu button*, select *show folders* and select *all folders*.
* Android apps
Mobile devices have a reputation for being quite insecure, so it's recommended that you don't store emails or GPG keys on your phone. Instead [[./app_mailpile.html][install Mailpile]] and access your email via the webmail interface.
* Subscribing to mailing lists
To subscribe to a mailing list log in as your user (i.e. not the root user).
Select /Administrator controls/ then *Email filtering rules* then *Block/Unblock and email address* or *Block/Unblock email with subject line*. Also see the manpage for *freedombone-ignore*.
*Your own mailing list
If you want to set up a public mailing list then when installing the system remember to set the *PUBLIC_MAILING_LIST* variable within *freedombone.cfg* to the name of your list. The name should have no spaces in it. Public mailing lists are unencrypted so anyone will be able to read the contents, including non subscribers.
*Using onion email addresses
By default this system comes with the ability to send and receive emails using onion addresses as the domain name. On the *user control panel* if you select *Show your email address* then you should find one ending with /dot onion/. You will also see a QR code for that address, which provides a simple way to transfer it to a mobile phone if necessary.
To subscribe to your list send a cleartext email to:
If you want to give your onion email address to someone else securely then you can use the QR code to transfer it to a phone and copy and paste the address into an encrypted chat app, such as Conversations. Of course they will probably also need to be running Freedombone or some system capable of handling onion email addresses.
#+BEGIN_SRC bash
mymailinglistname+subscribe@domainname
#+END_SRC
When sending email from an onion address it's not strictly necessary to use GPG/PGP. Tor handles the transport security by itself. You can still use it though if you prefer to have an extra layer of message security. You can also still use onion email addresses even if your ISP blocks the typical email ports (25 and 465).
Tip: When using the Mutt email client if you want to send an email in cleartext then press *p* (for PGP) on the sending screen and select *clear*. Unsecure email is treated as being the exception rather than the default.
#+BEGIN_EXPORT html
<center>
Return to the <a href="index.html">home page</a>
</center>
#+END_EXPORT
If you don't make your onion email address public then it should be fairly resisent to spam, since spammers won't be able to randomly guess onion addresses (there are far too many), whereas it's a lot easier for them to do that with conventional domain names.
* Using I2P for email transport
For the most paranoid use cases it is also possible to use I2P as an email transport mechanism. This will of course require the people you're communicating with to have a similar setup in place. For details see the [[./app_bdsmail.html][bdsmail app]]. An advantage of this is that it's very unlikely that your email will get blocked. The disadvantage is that few others will be capable of receiving email this way, and it's only really usable via the Mutt email client.
#+KEYWORDS: freedombox, debian, beaglebone, red matrix, email, web server, home server, internet, censorship, surveillance, social network, irc, jabber
#+DESCRIPTION: Turn the Beaglebone Black into a personal communications server
Freedombone may be installed either in its entirety or as different variants with a more specialised purpose. So for example if you just want to run a blog but don't care about any other services then you can do that. The following variants are available:
#+BEGIN_EXPORT html
<center>
<table style="width:80%; border:0">
<tr>
<td><center><b>Mailbox</b><br>An email server with GPG encryption</center></td>
<td><center><b>Cloud</b><br>Sync and share files. Never lose important files again</center></td>
</tr>
<tr>
<td><center><b>Social</b><br>Social networking with Hubzilla and GNU Social</center></td>
<td><center><b>Media</b><br>Runs media services such as DLNA to play music or videos on your devices</center></td>
</tr>
<tr>
<td><center><b>Writer</b><br>Host your blog and wiki</center></td>
<td><center><b>Chat</b><br>Encrypted IRC, XMPP, Tox and VoIP services for one-to-one and many-to-many chat</center></td>
</tr>
<tr>
<td><center><b>Developer</b><br>Github-like system to host your software projects</center></td>
<td><center><b>Mesh</b><br>A wireless mesh network which is like the internet, but not the internet</center></td>
</tr>
</table>
</center>
#+END_EXPORT
Non-mesh installs also come with an RSS reader which provides strong reading privacy on desktop and mobile via the use of a Tor onion service.
Since compiling Atheros drivers for use with a wifi dongle on the Beaglebone Black takes a long time pre-compiled drivers are also available here. These may be extracted into /lib/firmware/ before beginning the main installation via 'freedombone menuconfig'.